Vulnerability Description
Crypto++ (aka Cryptopp) 8.6.0 and earlier contains a timing leakage in MakePublicKey(). There is a clear correlation between execution time and private key length, which may cause disclosure of the length information of the private key. This might allow attackers to conduct timing attacks. NOTE: this report is disputed by the vendor and multiple third parties. The execution-time differences are intentional. A user may make a choice of a longer key as a tradeoff between strength and performance. In making this choice, the amount of information leaked to an adversary is of infinitesimal value
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Cryptopp | Crypto\+\+ | <= 8.6.0 |
Related Weaknesses (CWE)
References
- https://cryptopp.comVendor Advisory
- https://github.com/weidai11/cryptopp/issues/1080ExploitThird Party Advisory
- https://github.com/weidai11/cryptopp/issues/1080#issuecomment-996492222ExploitIssue TrackingThird Party Advisory
- https://cryptopp.comVendor Advisory
- https://github.com/weidai11/cryptopp/issues/1080ExploitThird Party Advisory
- https://github.com/weidai11/cryptopp/issues/1080#issuecomment-996492222ExploitIssue TrackingThird Party Advisory
FAQ
What is CVE-2021-43398?
CVE-2021-43398 is a vulnerability with a CVSS score of 5.3 (MEDIUM). Crypto++ (aka Cryptopp) 8.6.0 and earlier contains a timing leakage in MakePublicKey(). There is a clear correlation between execution time and private key length, which may cause disclosure of the le...
How severe is CVE-2021-43398?
CVE-2021-43398 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2021-43398?
Check the references section above for vendor advisories and patch information. Affected products include: Cryptopp Crypto\+\+.