Vulnerabilities > CVE-2021-43398 - Information Exposure Through Discrepancy vulnerability in Cryptopp Crypto++

CVSS 5.3 - MEDIUM

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

LOW

Integrity impact

NONE

Availability impact

NONE

network

low complexity

cryptopp

CWE-203

NVD

Published: 2021-11-04

Updated: 2024-04-11

Summary

Crypto++ (aka Cryptopp) 8.6.0 and earlier contains a timing leakage in MakePublicKey(). There is a clear correlation between execution time and private key length, which may cause disclosure of the length information of the private key. This might allow attackers to conduct timing attacks. NOTE: this report is disputed by the vendor and multiple third parties. The execution-time differences are intentional. A user may make a choice of a longer key as a tradeoff between strength and performance. In making this choice, the amount of information leaked to an adversary is of infinitesimal value

Vulnerable Configurations

Part	Description	Count
Application	Cryptopp Cryptopp Crypto++ 5.0 Cryptopp Crypto++ 5.1 Cryptopp Crypto++ 5.2 Cryptopp Crypto++ 5.2.1 Cryptopp Crypto++ 5.2.3 Cryptopp Crypto++ 5.3.0 Cryptopp Crypto++ 5.4 Cryptopp Crypto++ 5.5 Cryptopp Crypto++ 5.5.1 Cryptopp Crypto++ 5.5.2 Cryptopp Crypto++ 5.6.0 Cryptopp Crypto++ 5.6.1 Cryptopp Crypto++ 5.6.2 Cryptopp Crypto++ 5.6.3 Cryptopp Crypto++ 5.6.4 Cryptopp Crypto++ 5.6.5 Cryptopp Crypto++ 6.0.0 Cryptopp Crypto++ 6.1.0 Cryptopp Crypto++ 7.0.0 Cryptopp Crypto++ 8.0.0 Cryptopp Crypto++ 8.1.0 Cryptopp Crypto++ 8.2.0 Cryptopp Crypto++ 8.3.0 Cryptopp Crypto++ 8.4.0 Cryptopp Crypto++ 8.5.0 Cryptopp Crypto++ 8.6.0	26

Common Weakness Enumeration (CWE)

CWE-203 - Information Exposure Through Discrepancy

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

References