Inadequate Encryption Strength Affecting oqs package, versions <0.7.2


Severity

Recommended
0.0
high
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Inadequate Encryption Strength vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-RUST-OQS-2980370
  • published19 Aug 2022
  • disclosed30 Jul 2022
  • creditWouter Castryck, Thomas Decru

Introduced: 30 Jul 2022

CVE NOT AVAILABLE CWE-326  (opens in a new tab)

How to fix?

Upgrade oqs to version 0.7.2 or higher.

Overview

oqs is a package providing safe Rust bindings for the liboqs C library

Affected versions of this package are vulnerable to Inadequate Encryption Strength in implementation of the SIDH protocol, which exposes secret SIKEp751 keys. The affected schemes are the oqs::kem::Algorithm::Sike* and oqs::kem::Algorithm::Sidh* enum variants.

CVSS Scores

version 3.1