CVE-2024-13939 — HIGH (7.5)

Q: How severe is CVE-2024-13939?

CVE-2024-13939 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2024-13939?

Check the references section above for vendor advisories and patch information. Affected products include: Fractal String\.

Vulnerability Description

String::Compare::ConstantTime for Perl through 0.321 is vulnerable to timing attacks that allow an attacker to guess the length of a secret string. As stated in the documentation: "If the lengths of the strings are different, because equals returns false right away the size of the secret string may be leaked (but not its contents)." This is similar to CVE-2020-36829

CVSS Score

7.5

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

NONE

Availability

NONE

Affected Products

Vendor	Product	Versions
Fractal	String\	<= 0.321, \

Related Weaknesses (CWE)

CWE-208 CWE-203

References

https://metacpan.org/release/FRACTAL/String-Compare-ConstantTime-0.321/view/lib/Technical Description

FAQ

What is CVE-2024-13939?

CVE-2024-13939 is a vulnerability with a CVSS score of 7.5 (HIGH). String::Compare::ConstantTime for Perl through 0.321 is vulnerable to timing attacks that allow an attacker to guess the length of a secret string. As stated in the documentation: "If the lengths of ...

How severe is CVE-2024-13939?

CVE-2024-13939 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2024-13939?

Check the references section above for vendor advisories and patch information. Affected products include: Fractal String\.