GHSA-j6vm-4r7g-x4gr

Suggest an improvement
Source
https://github.com/advisories/GHSA-j6vm-4r7g-x4gr
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/11/GHSA-j6vm-4r7g-x4gr/GHSA-j6vm-4r7g-x4gr.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-j6vm-4r7g-x4gr
Aliases
  • CVE-2024-11862
Published
2024-11-27T19:01:01Z
Modified
2024-11-27T19:12:24.572963Z
Severity
  • 5.1 (Medium) CVSS_V4 - CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
Devolutions.XTS.NET Vulnerable to Timing Attack on GF Multiplications
Details

Impact

Timing attacks on Galois Field multiplications in this package. Successful exploitation would effectively allow a downgrade of the security guarantees of the XTS mode to the security guarantees of ECB mode, allowing block swapping, enabling identification of identical blocks, and rendering half of the XTS key obsolete. Timing attacks require specific conditions to be exploitable.

Patches

Patched in 2024.11.26

Workarounds

Upgrade the package

References

https://en.wikipedia.org/wiki/Timing_attack

Database specific 
{
    "nvd_published_at": "2024-11-27T15:15:25Z",
    "cwe_ids": [
        "CWE-385"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2024-11-27T19:01:01Z"
}
References

Affected packages

NuGet / Devolutions.XTS.NET

Package

Name
Devolutions.XTS.NET
View open source insights on deps.dev
Purl
pkg:nuget/Devolutions.XTS.NET

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2024.11.26

Affected versions

2024.*
2024.11.19

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/11/GHSA-j6vm-4r7g-x4gr/GHSA-j6vm-4r7g-x4gr.json"