CVE-2021-37606 — MEDIUM (5.3)

Vulnerability Description

Meow hash 0.5/calico does not sufficiently thwart key recovery by an attacker who can query whether there's a collision in the bottom bits of the hashes of two messages, as demonstrated by an attack against a long-running web service that allows the attacker to infer collisions by measuring timing differences.

CVSS Score

5.3

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

LOW

Integrity

NONE

Availability

NONE

Affected Products

Vendor	Product	Versions
Meow Hash Project	Meow Hash	0.5

Related Weaknesses (CWE)

CWE-326 CWE-203

References

https://news.ycombinator.com/item?id=27978878Third Party Advisory
https://peter.website/meow-hash-cryptanalysisThird Party Advisory
https://news.ycombinator.com/item?id=27978878Third Party Advisory
https://peter.website/meow-hash-cryptanalysisThird Party Advisory

FAQ

What is CVE-2021-37606?

CVE-2021-37606 is a vulnerability with a CVSS score of 5.3 (MEDIUM). Meow hash 0.5/calico does not sufficiently thwart key recovery by an attacker who can query whether there's a collision in the bottom bits of the hashes of two messages, as demonstrated by an attack a...

How severe is CVE-2021-37606?

CVE-2021-37606 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2021-37606?

Check the references section above for vendor advisories and patch information. Affected products include: Meow Hash Project Meow Hash.