CVE-2023-50781
M2crypto: bleichenbacher timing attacks in the rsa decryption api - incomplete fix for cve-2020-25657
Severity Score
7.5
*CVSS v3.1
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
0
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
Track
*SSVC
Descriptions
A flaw was found in m2crypto. This issue may allow a remote attacker to decrypt captured messages in TLS servers that use RSA key exchanges, which may lead to exposure of confidential or sensitive data.
Se encontró una falla en m2crypto. Este problema puede permitir que un atacante remoto descifre mensajes capturados en servidores TLS que utilizan intercambios de claves RSA, lo que puede provocar la exposición de datos confidenciales o sensibles.
*Credits:
This issue was discovered by Hubert Kario (Red Hat).
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:Track
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2023-12-13 CVE Reserved
- 2024-02-05 CVE Published
- 2024-02-16 EPSS Updated
- 2024-11-06 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-203: Observable Discrepancy
- CWE-208: Observable Timing Discrepancy
CAPEC
References (2)
| URL | Tag | Source |
|---|---|---|
| https://access.redhat.com/security/cve/CVE-2023-50781 | Third Party Advisory | |
| https://bugzilla.redhat.com/show_bug.cgi?id=2254426 | Issue Tracking |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Redhat Search vendor "Redhat" | Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux" | 8.0 Search vendor "Redhat" for product "Enterprise Linux" and version "8.0" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux" | 9.0 Search vendor "Redhat" for product "Enterprise Linux" and version "9.0" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Update Infrastructure Search vendor "Redhat" for product "Update Infrastructure" | 4 Search vendor "Redhat" for product "Update Infrastructure" and version "4" | - |
Affected
| ||||||
| M2crypto Project Search vendor "M2crypto Project" | M2crypto Search vendor "M2crypto Project" for product "M2crypto" | - | - |
Affected
| ||||||