CVE-2021-43398
Summary
| CVE | CVE-2021-43398 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2021-11-04 21:15:00 UTC |
| Updated | 2023-11-07 03:39:00 UTC |
| Description | ** DISPUTED ** Crypto++ (aka Cryptopp) 8.6.0 and earlier contains a timing leakage in MakePublicKey(). There is a clear correlation between execution time and private key length, which may cause disclosure of the length information of the private key. This might allow attackers to conduct timing attacks. NOTE: this report is disputed by the vendor and multiple third parties. The execution-time differences are intentional. A user may make a choice of a longer key as a tradeoff between strength and performance. In making this choice, the amount of information leaked to an adversary is of infinitesimal value. |
Risk And Classification
Problem Types: CWE-203
NVD Known Affected Configurations (CPE 2.3)
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| Dangerous Correlation Between Key Length and Execution Time · Issue #1080 · weidai11/cryptopp · GitHub | MISC | github.com | |
| Dangerous Correlation Between Key Length and Execution Time · Issue #1080 · weidai11/cryptopp · GitHub | MISC | github.com | |
| Crypto++ Library 8.6 | Free C++ Class Library of Cryptographic Schemes | MISC | cryptopp.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.