Timing Attack Affecting m2crypto package, versions [0,]
Threat Intelligence
EPSS
0.1% (44th
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-PYTHON-M2CRYPTO-6130086
- published 18 Dec 2023
- disclosed 13 Dec 2023
- credit Hubert Kario
Introduced: 13 Dec 2023
CVE-2023-50781 Open this link in a new tabHow to fix?
A fix was pushed into the master
branch but not yet published.
Overview
M2Crypto is a M2Crypto: A Python crypto and SSL toolkit
Affected versions of this package are vulnerable to Timing Attack due to improper timing controls in the RSA decryption API. An attacker can potentially retrieve sensitive information by observing the time taken to perform cryptographic operations (Marvin).
Note:
This vulnerability exists due to an incomplete fix for CVE-2020-25657.
References
CVSS Scores
version 3.1