CVE-2023-52323
Published: 5 January 2024
PyCryptodome and pycryptodomex before 3.19.1 allow side-channel leakage for OAEP decryption, exploitable for a Manger attack.
Notes
| Author | Note |
|---|---|
| mdeslaur | Ubuntu 20.04 LTS and older contain a substantially older codebase which would require major intrusive changes to remediate all side-channel attacks. Due to the high risk of regressions, we will not be fixing this issue in focal and older. If this issue is critical in your environment, we recommend migrating to a more recent version of Ubuntu. |
Priority
Status
| Package | Release | Status |
|---|---|---|
|
pycryptodome Launchpad, Ubuntu, Debian |
bionic |
Ignored
|
| focal |
Ignored
|
|
| jammy |
Released
(3.11.0+dfsg1-3ubuntu0.1)
|
|
| lunar |
Ignored
(end of life, was needed)
|
|
| mantic |
Needed
|
|
| noble |
Not vulnerable
(3.20.0+dfsg-1)
|
|
| trusty |
Ignored
(end of standard support)
|
|
| upstream |
Needs triage
|
|
| xenial |
Ignored
(end of standard support)
|
|
|
Patches: upstream: https://github.com/Legrandin/pycryptodome/commit/afb5e27a15efe59e33c2825d40ef44995c13b8bc upstream: https://github.com/Legrandin/pycryptodome/commit/519e7aea6de4e8f03b62c6e1dba724aca738882e upstream: https://github.com/Legrandin/pycryptodome/commit/0deea1bfe1489e8c80d2053bbb06a1aa0b181ebd |
||
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 5.9 |
| Attack vector | Network |
| Attack complexity | High |
| Privileges required | None |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity impact | None |
| Availability impact | None |
| Vector | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N |