Timing Attack Affecting m2crypto package, versions [0,]


Severity

Recommended
0.0
medium
0
10

CVSS assessment made by Snyk's Security Team

    Threat Intelligence

    EPSS
    0.1% (44th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-PYTHON-M2CRYPTO-6130086
  • published 18 Dec 2023
  • disclosed 13 Dec 2023
  • credit Hubert Kario

How to fix?

A fix was pushed into the master branch but not yet published.

Overview

M2Crypto is a M2Crypto: A Python crypto and SSL toolkit

Affected versions of this package are vulnerable to Timing Attack due to improper timing controls in the RSA decryption API. An attacker can potentially retrieve sensitive information by observing the time taken to perform cryptographic operations (Marvin).

Note:

This vulnerability exists due to an incomplete fix for CVE-2020-25657.

CVSS Scores

version 3.1
Expand this section

Snyk

Recommended
5.9 medium
  • Attack Vector (AV)
    Network
  • Attack Complexity (AC)
    High
  • Privileges Required (PR)
    None
  • User Interaction (UI)
    None
  • Scope (S)
    Unchanged
  • Confidentiality (C)
    High
  • Integrity (I)
    None
  • Availability (A)
    None
Expand this section

NVD

7.5 high
Expand this section

Red Hat

7.5 high