Vulnerabilities > CVE-2024-25714 - Information Exposure Through Discrepancy vulnerability in multiple products

CVSS 9.8 - CRITICAL

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

HIGH

network

low complexity

rhonabwy-project

debian

CWE-203

critical

NVD

Published: 2024-02-11

Updated: 2024-10-18

Summary

In Rhonabwy through 1.1.13, HMAC signature verification uses a strcmp function that is vulnerable to side-channel attacks, because it stops the comparison when the first difference is spotted in the two signatures. (The fix uses gnutls_memcmp, which has constant-time execution.)

Vulnerable Configurations

Part	Description	Count
Application	Rhonabwy_Project Rhonabwy Project Rhonabwy 0.9.2 Rhonabwy Project Rhonabwy 0.9.3 Rhonabwy Project Rhonabwy 0.9.4 Rhonabwy Project Rhonabwy 0.9.5 Rhonabwy Project Rhonabwy 0.9.6 Rhonabwy Project Rhonabwy 0.9.7 Rhonabwy Project Rhonabwy 0.9.8 Rhonabwy Project Rhonabwy 0.9.9 Rhonabwy Project Rhonabwy 0.9.10 Rhonabwy Project Rhonabwy 0.9.11 Rhonabwy Project Rhonabwy 0.9.12 Rhonabwy Project Rhonabwy 0.9.13 Rhonabwy Project Rhonabwy 0.9.99 Rhonabwy Project Rhonabwy 0.9.999 Rhonabwy Project Rhonabwy 0.9.9999 Rhonabwy Project Rhonabwy 1.0.0 Rhonabwy Project Rhonabwy 1.1.0 Rhonabwy Project Rhonabwy 1.1.1 Rhonabwy Project Rhonabwy 1.1.2 Rhonabwy Project Rhonabwy 1.1.3	20
OS	Debian Debian Debian Linux 11.0 Debian Debian Linux 12.0	2

Common Weakness Enumeration (CWE)

CWE-203 - Information Exposure Through Discrepancy

References

https://github.com/babelouest/rhonabwy/commit/f9fd9a1c77e48b514ebb3baf0360f87eef3d846e