CVSS: 5.9EPSS: 0%CPEs: 3EXPL: 0CVE-2024-0914 – Opencryptoki: timing side-channel in handling of rsa pkcs#1 v1.5 padded ciphertexts (marvin)
https://notcve.org/view.php?id=CVE-2024-0914
A timing side-channel vulnerability has been discovered in the opencryptoki package while processing RSA PKCS#1 v1.5 padded ciphertexts. This flaw could potentially enable unauthorized RSA ciphertext decryption or signing, even without access to the corresponding private key. Se descubrió una vulnerabilidad de canal lateral de temporización en el paquete opencryptoki mientras se procesan textos cifrados acolchados RSA PKCS#1 v1.5. Este fallo podría potencialmente permitir el descifrado o la firma de texto cifrado RSA no autorizado, incluso sin acceso a la clave privada correspondiente. • https://access.redhat.com/errata/RHSA-2024:1239 https://access.redhat.com/errata/RHSA-2024:1411 https://access.redhat.com/errata/RHSA-2024:1608 https://access.redhat.com/errata/RHSA-2024:1856 https://access.redhat.com/errata/RHSA-2024:1992 https://access.redhat.com/security/cve/CVE-2024-0914 https://bugzilla.redhat.com/show_bug.cgi?id=2260407 https://people.redhat.com/~hkario/marvin • CWE-203: Observable Discrepancy •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2021-3798
https://notcve.org/view.php?id=CVE-2021-3798
A flaw was found in openCryptoki. The openCryptoki Soft token does not check if an EC key is valid when an EC key is created via C_CreateObject, nor when C_DeriveKey is used with ECDH public data. This may allow a malicious user to extract the private key by performing an invalid curve attack. Se ha encontrado un fallo en openCryptoki. El token de openCryptoki Soft no comprueba si una clave EC es válida cuando es creada una clave EC por medio de C_CreateObject, ni cuando es usada C_DeriveKey con datos públicos ECDH. • https://access.redhat.com/security/cve/CVE-2021-3798 https://bugzilla.redhat.com/show_bug.cgi?id=1990591 https://github.com/opencryptoki/opencryptoki/commit/4e3b43c3d8844402c04a66b55c6c940f965109f0 https://github.com/opencryptoki/opencryptoki/pull/402 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 2.9EPSS: 0%CPEs: 12EXPL: 0CVE-2012-4454
https://notcve.org/view.php?id=CVE-2012-4454
openCryptoki before 2.4.1, when using spinlocks, allows local users to create or set world-writable permissions on arbitrary files via a symlink attack on the (1) .pkapi_xpk or (2) .pkcs11spinloc file in /tmp. openCryptoki anteriores a v2.4.1, cuando utiliza hilos de bucles de espera, permite a usuarios locales crear o dar permisos de escritura a todo el mundo para ficheros de su elección, mediante un ataque de enlace simbólico en los ficheros (1) .pkapi_xpk o (2) .pkcs11spinloc de /tmp. • http://opencryptoki.git.sourceforge.net/git/gitweb.cgi?p=opencryptoki/opencryptoki%3Ba=commitdiff%3Bh=58345488c9351d9be9a4be27c8b407c2706a33a9 http://opencryptoki.git.sourceforge.net/git/gitweb.cgi?p=opencryptoki/opencryptoki%3Ba=commitdiff%3Bh=b7fcb3eb0319183348f1f4fb90ede4edd6487c30 http://secunia.com/advisories/50702 http://sourceforge.net/mailarchive/message.php?msg_id=28878345 http://www.openwall.com/lists/oss-security/2012/09/07/2 http://www.openwall.com/lists/oss-security/2012/09/07/6 http://www.openwall.com/lists& • CWE-264: Permissions, Privileges, and Access Controls •