Common Weakness Enumeration

CWE-385

Allowed

Covert Timing Channel

Abstraction: Base · Status: Incomplete

Covert timing channels convey information by modulating some aspect of system behavior over time, so that the program receiving the information can observe system behavior and infer protected information.

76 vulnerabilities reference this CWE, most recent first.

GHSA-5739-39V2-5754

Vulnerability from github – Published: 2026-06-18 21:09 – Updated: 2026-06-18 21:09
VLAI
Summary
PHP JWT Library: RSA1_5 (RSAES-PKCS1-v1_5) decryption lacks implicit rejection, exposing a Bleichenbacher/Marvin padding oracle
Details

Impact

RSACrypt::decryptWithRSA15() (used by the RSA1_5 key-encryption algorithm) implements RSAES-PKCS1-v1_5 decryption by inspecting the padding after RSADP and throwing InvalidArgumentException as soon as the padding is malformed. It does not implement the implicit-rejection countermeasure required by RFC 3447 §7.2.2 / RFC 8017 §7.1.2 (return a deterministic pseudo-random value of the expected length on padding failure and let the downstream step fail uniformly).

From a JWE caller this yields a Bleichenbacher/Marvin padding oracle: an attacker submitting adaptively crafted encrypted_key values can distinguish (a) padding rejected, (b) padding valid but wrong CEK length, and (c) padding valid and full AEAD executed — even though JWEDecrypter returns the same false in all cases — because each path performs a measurably different amount of work, amplifiable by enlarging the ciphertext (CWE-208 timing side channel). Enough adaptive queries can recover the wrapped CEK.

Affected configurations

Applications that register RSA1_5 in their decryption AlgorithmManager and hold an RSA private key.

Patches

PKCS#1 v1.5 decryption now performs implicit rejection: on invalid padding (or unexpected recovered length) it returns a random CEK of the expected size selected in constant time, so the full content-decryption (AEAD) step always runs and fails uniformly, removing the observable difference between padding-valid and padding-invalid ciphertexts. Users are still strongly encouraged to migrate to RSA-OAEP.

Workarounds

Prefer RSA-OAEP/RSA-OAEP-256; do not enable RSA1_5 for untrusted tokens.

References

  • RFC 3447 §7.2.2 / RFC 8017 §7.1.2
  • Bleichenbacher (1998); Marvin attack
  • CWE-208: Observable Timing Discrepancy

Résolution

Un correctif a été préparé sur une branche dédiée basée sur 3.4.x, avec des tests anti-régression dédiés (fork privé temporaire de cette advisory, PR #1).

RSA1_5 — déchiffrement PKCS#1 v1.5 avec implicit rejection en temps constant (RFC 3447 §7.2.2) : un padding invalide n'est plus distinguable d'un padding valide, neutralisant l'oracle Bleichenbacher.

Validation : php -l OK, PHPUnit vert, aucune nouvelle erreur PHPStan introduite (différentiel nul vs 3.4.x), aucun commentaire ajouté dans le code source. Après merge, cascade prévue 3.4.x → 4.0.x → 4.1.x.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "web-token/jwt-library"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.4.10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "web-token/jwt-framework"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "4.1.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "web-token/jwt-library"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.0.0"
            },
            {
              "fixed": "4.0.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "web-token/jwt-library"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.1.0"
            },
            {
              "fixed": "4.1.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-208",
      "CWE-385"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-18T21:09:56Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Impact\n\n`RSACrypt::decryptWithRSA15()` (used by the `RSA1_5` key-encryption algorithm) implements RSAES-PKCS1-v1_5 decryption by inspecting the padding after RSADP and throwing `InvalidArgumentException` as soon as the padding is malformed. It does **not** implement the implicit-rejection countermeasure required by RFC 3447 \u00a77.2.2 / RFC 8017 \u00a77.1.2 (return a deterministic pseudo-random value of the expected length on padding failure and let the downstream step fail uniformly).\n\nFrom a JWE caller this yields a Bleichenbacher/Marvin padding oracle: an attacker submitting adaptively crafted `encrypted_key` values can distinguish (a) padding rejected, (b) padding valid but wrong CEK length, and (c) padding valid and full AEAD executed \u2014 even though `JWEDecrypter` returns the same `false` in all cases \u2014 because each path performs a measurably different amount of work, amplifiable by enlarging the ciphertext (CWE-208 timing side channel). Enough adaptive queries can recover the wrapped CEK.\n\n### Affected configurations\n\nApplications that register `RSA1_5` in their decryption `AlgorithmManager` and hold an RSA private key.\n\n### Patches\n\nPKCS#1 v1.5 decryption now performs implicit rejection: on invalid padding (or unexpected recovered length) it returns a random CEK of the expected size selected in constant time, so the full content-decryption (AEAD) step always runs and fails uniformly, removing the observable difference between padding-valid and padding-invalid ciphertexts. Users are still strongly encouraged to migrate to `RSA-OAEP`.\n\n### Workarounds\n\nPrefer `RSA-OAEP`/`RSA-OAEP-256`; do not enable `RSA1_5` for untrusted tokens.\n\n### References\n\n- RFC 3447 \u00a77.2.2 / RFC 8017 \u00a77.1.2\n- Bleichenbacher (1998); Marvin attack\n- CWE-208: Observable Timing Discrepancy\n\n## R\u00e9solution\n\nUn correctif a \u00e9t\u00e9 pr\u00e9par\u00e9 sur une branche d\u00e9di\u00e9e bas\u00e9e sur `3.4.x`, avec des tests anti-r\u00e9gression d\u00e9di\u00e9s (fork priv\u00e9 temporaire de cette advisory, PR #1).\n\n**RSA1_5** \u2014 d\u00e9chiffrement PKCS#1 v1.5 avec *implicit rejection* en temps constant (RFC 3447 \u00a77.2.2) : un padding invalide n\u0027est plus distinguable d\u0027un padding valide, neutralisant l\u0027oracle Bleichenbacher.\n\n**Validation :** `php -l` OK, PHPUnit vert, aucune nouvelle erreur PHPStan introduite (diff\u00e9rentiel nul vs `3.4.x`), aucun commentaire ajout\u00e9 dans le code source. Apr\u00e8s merge, cascade pr\u00e9vue `3.4.x \u2192 4.0.x \u2192 4.1.x`.",
  "id": "GHSA-5739-39v2-5754",
  "modified": "2026-06-18T21:09:57Z",
  "published": "2026-06-18T21:09:56Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/web-token/jwt-framework/security/advisories/GHSA-5739-39v2-5754"
    },
    {
      "type": "WEB",
      "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/web-token/jwt-library/GHSA-5739-39v2-5754.yaml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/web-token/jwt-framework"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "PHP JWT Library: RSA1_5 (RSAES-PKCS1-v1_5) decryption lacks implicit rejection, exposing a Bleichenbacher/Marvin padding oracle"
}

GHSA-5QXQ-95FV-WHXM

Vulnerability from github – Published: 2024-08-22 18:31 – Updated: 2024-08-22 21:31
VLAI
Details

An issue was discovered in Matrix libolm (aka Olm) through 3.2.16. Cache-timing attacks can occur due to use of base64 when decoding group session keys. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-45192"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-385"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-08-22T16:15:10Z",
    "severity": "HIGH"
  },
  "details": "An issue was discovered in Matrix libolm (aka Olm) through 3.2.16. Cache-timing attacks can occur due to use of base64 when decoding group session keys. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.",
  "id": "GHSA-5qxq-95fv-whxm",
  "modified": "2024-08-22T21:31:29Z",
  "published": "2024-08-22T18:31:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45192"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.matrix.org/matrix-org/olm"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.matrix.org/matrix-org/olm/-/commit/6d4b5b07887821a95b144091c8497d09d377f985"
    },
    {
      "type": "WEB",
      "url": "https://news.ycombinator.com/item?id=41249371"
    },
    {
      "type": "WEB",
      "url": "https://soatok.blog/2024/08/14/security-issues-in-matrixs-olm-library"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-6PFC-6M7W-M8FX

Vulnerability from github – Published: 2026-03-31 23:59 – Updated: 2026-04-28 18:19
VLAI
Summary
OpenClaw has a gateway exec allowlist allow-always bypass via unregistered /usr/bin/script wrapper
Details

Summary

Allow-always persistence did not unwrap /usr/bin/script and similar wrappers to the actual executed target before storing trust decisions.

Impact

A user approval for one wrapped command could persist trust for a wrapper binary that later executed a different underlying program.

Affected Component

src/infra/dispatch-wrapper-resolution.ts, src/infra/exec-wrapper-resolution.ts

Fixed Versions

  • Affected: <= 2026.3.24
  • Patched: >= 2026.3.28
  • Latest stable 2026.3.28 contains the fix.

Fix

Fixed by commit 83da3cfe31 (infra: unwrap script wrapper approval targets).

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2026.3.24"
      },
      "package": {
        "ecosystem": "npm",
        "name": "openclaw"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2026.3.28"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-41390"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-385"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-31T23:59:53Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "## Summary\n\nAllow-always persistence did not unwrap `/usr/bin/script` and similar wrappers to the actual executed target before storing trust decisions.\n\n## Impact\n\nA user approval for one wrapped command could persist trust for a wrapper binary that later executed a different underlying program.\n\n## Affected Component\n\n`src/infra/dispatch-wrapper-resolution.ts, src/infra/exec-wrapper-resolution.ts`\n\n## Fixed Versions\n\n- Affected: `\u003c= 2026.3.24`\n- Patched: `\u003e= 2026.3.28`\n- Latest stable `2026.3.28` contains the fix.\n\n## Fix\n\nFixed by commit `83da3cfe31` (`infra: unwrap script wrapper approval targets`).",
  "id": "GHSA-6pfc-6m7w-m8fx",
  "modified": "2026-04-28T18:19:30Z",
  "published": "2026-03-31T23:59:53Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-6pfc-6m7w-m8fx"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/commit/83da3cfe31f016841e1deedda1a604696f4c488d"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/openclaw/openclaw"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/releases/tag/v2026.3.28"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "OpenClaw has a gateway exec allowlist allow-always bypass via unregistered /usr/bin/script wrapper"
}

GHSA-6PW7-QHF8-RJFF

Vulnerability from github – Published: 2022-05-13 01:36 – Updated: 2025-08-29 15:30
VLAI
Details

It was found that xorg-x11-server before 1.19.0 including uses memcmp() to check the received MIT cookie against a series of valid cookies. If the cookie is correct, it is allowed to attach to the Xorg session. Since most memcmp() implementations return after an invalid byte is seen, this causes a time difference between a valid and invalid byte, which could allow an efficient brute force attack.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-2624"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200",
      "CWE-385"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-07-27T18:29:00Z",
    "severity": "HIGH"
  },
  "details": "It was found that xorg-x11-server before 1.19.0 including uses memcmp() to check the received MIT cookie against a series of valid cookies. If the cookie is correct, it is allowed to attach to the Xorg session. Since most memcmp() implementations return after an invalid byte is seen, this causes a time difference between a valid and invalid byte, which could allow an efficient brute force attack.",
  "id": "GHSA-6pw7-qhf8-rjff",
  "modified": "2025-08-29T15:30:36Z",
  "published": "2022-05-13T01:36:52Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-2624"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-2624"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.freedesktop.org/xorg/xserver/commit/d7ac755f0b618eb1259d93c8a16ec6e39a18627c"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2017/11/msg00032.html"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/201704-03"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/201710-30"
    },
    {
      "type": "WEB",
      "url": "https://www.x41-dsec.de/lab/advisories/x41-2017-001-xorg"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/96480"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id/1037919"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-944J-8CH6-RF6X

Vulnerability from github – Published: 2024-02-05 21:30 – Updated: 2026-02-27 20:57
VLAI
Summary
m2crypto Bleichenbacher timing attack - incomplete fix for CVE-2020-25657
Details

A flaw was found in m2crypto. This issue may allow a remote attacker to decrypt captured messages in TLS servers that use RSA key exchanges, which may lead to exposure of confidential or sensitive data.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "m2crypto"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "0.40.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-50781"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-203",
      "CWE-208",
      "CWE-385"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-02-05T22:41:57Z",
    "nvd_published_at": "2024-02-05T21:15:10Z",
    "severity": "MODERATE"
  },
  "details": "A flaw was found in m2crypto. This issue may allow a remote attacker to decrypt captured messages in TLS servers that use RSA key exchanges, which may lead to exposure of confidential or sensitive data.",
  "id": "GHSA-944j-8ch6-rf6x",
  "modified": "2026-02-27T20:57:08Z",
  "published": "2024-02-05T21:30:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50781"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2023-50781"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2254426"
    },
    {
      "type": "PACKAGE",
      "url": "https://gitlab.com/m2crypto/m2crypto"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/m2crypto/m2crypto/-/issues/342"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "m2crypto Bleichenbacher timing attack - incomplete fix for CVE-2020-25657"
}

GHSA-9779-JFG9-FRM3

Vulnerability from github – Published: 2022-05-13 01:14 – Updated: 2022-05-13 01:14
VLAI
Details

It was found that the GnuTLS implementation of HMAC-SHA-256 was vulnerable to a Lucky thirteen style attack. Remote attackers could use this flaw to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data using crafted packets.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2018-10844"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-327",
      "CWE-385"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-08-22T13:29:00Z",
    "severity": "MODERATE"
  },
  "details": "It was found that the GnuTLS implementation of HMAC-SHA-256 was vulnerable to a Lucky thirteen style attack. Remote attackers could use this flaw to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data using crafted packets.",
  "id": "GHSA-9779-jfg9-frm3",
  "modified": "2022-05-13T01:14:22Z",
  "published": "2022-05-13T01:14:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-10844"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2018:3050"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2018:3505"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2018-10844"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1582571"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10844"
    },
    {
      "type": "WEB",
      "url": "https://eprint.iacr.org/2018/747"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/gnutls/gnutls/merge_requests/657"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2018/10/msg00022.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ILMOWPKMTZAIMK5F32TUMO34XCABUCFJ"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WDYY3R4F5CUTFAMXH2C5NKYFVDEJLTT7"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ILMOWPKMTZAIMK5F32TUMO34XCABUCFJ"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WDYY3R4F5CUTFAMXH2C5NKYFVDEJLTT7"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/3999-1"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/105138"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9F4V-CW9W-G4CW

Vulnerability from github – Published: 2022-05-13 01:38 – Updated: 2022-05-13 01:38
VLAI
Details

A timing attack flaw was found in OpenSSL 1.0.1u and before that could allow a malicious user with local access to recover ECDSA P-256 private keys.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2016-7056"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-385"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-09-10T16:29:00Z",
    "severity": "MODERATE"
  },
  "details": "A timing attack flaw was found in OpenSSL 1.0.1u and before that could allow a malicious user with local access to recover ECDSA P-256 private keys.",
  "id": "GHSA-9f4v-cw9w-g4cw",
  "modified": "2022-05-13T01:38:43Z",
  "published": "2022-05-13T01:38:43Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-7056"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2017/dsa-3773"
    },
    {
      "type": "WEB",
      "url": "https://security-tracker.debian.org/tracker/CVE-2016-7056"
    },
    {
      "type": "WEB",
      "url": "https://seclists.org/oss-sec/2017/q1/52"
    },
    {
      "type": "WEB",
      "url": "https://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-7056.html"
    },
    {
      "type": "WEB",
      "url": "https://git.openssl.org/?p=openssl.git;a=commit;h=8aed2a7548362e88e84a7feb795a3a97e8395008"
    },
    {
      "type": "WEB",
      "url": "https://git.openssl.org/?p=openssl.git%3Ba=commit%3Bh=8aed2a7548362e88e84a7feb795a3a97e8395008"
    },
    {
      "type": "WEB",
      "url": "https://ftp.openbsd.org/pub/OpenBSD/patches/6.0/common/016_libcrypto.patch.sig"
    },
    {
      "type": "WEB",
      "url": "https://ftp.openbsd.org/pub/OpenBSD/patches/5.9/common/033_libcrypto.patch.sig"
    },
    {
      "type": "WEB",
      "url": "https://eprint.iacr.org/2016/1195"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-7056"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1412120"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/security/cve/CVE-2016-7056"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2017:1802"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2017:1801"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2017:1415"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2017:1414"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHSA-2017:1413"
    },
    {
      "type": "WEB",
      "url": "https://access.redhat.com/errata/RHBA-2017:1929"
    },
    {
      "type": "WEB",
      "url": "http://rhn.redhat.com/errata/RHSA-2017-1415.html"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/95375"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id/1037575"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9MRX-MQMG-GWJ9

Vulnerability from github – Published: 2025-09-30 15:30 – Updated: 2026-07-14 15:31
VLAI
Details

Issue summary: A timing side-channel which could potentially allow remote recovery of the private key exists in the SM2 algorithm implementation on 64 bit ARM platforms.

Impact summary: A timing side-channel in SM2 signature computations on 64 bit ARM platforms could allow recovering the private key by an attacker..

While remote key recovery over a network was not attempted by the reporter, timing measurements revealed a timing signal which may allow such an attack.

OpenSSL does not directly support certificates with SM2 keys in TLS, and so this CVE is not relevant in most TLS contexts. However, given that it is possible to add support for such certificates via a custom provider, coupled with the fact that in such a custom provider context the private key may be recoverable via remote timing measurements, we consider this to be a Moderate severity issue.

The FIPS modules in 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this issue, as SM2 is not an approved algorithm.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-9231"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-385"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-30T14:15:41Z",
    "severity": "MODERATE"
  },
  "details": "Issue summary: A timing side-channel which could potentially allow remote\nrecovery of the private key exists in the SM2 algorithm implementation on 64 bit\nARM platforms.\n\nImpact summary: A timing side-channel in SM2 signature computations on 64 bit\nARM platforms could allow recovering the private key by an attacker..\n\nWhile remote key recovery over a network was not attempted by the reporter,\ntiming measurements revealed a timing signal which may allow such an attack.\n\nOpenSSL does not directly support certificates with SM2 keys in TLS, and so\nthis CVE is not relevant in most TLS contexts.  However, given that it is\npossible to add support for such certificates via a custom provider, coupled\nwith the fact that in such a custom provider context the private key may be\nrecoverable via remote timing measurements, we consider this to be a Moderate\nseverity issue.\n\nThe FIPS modules in 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this\nissue, as SM2 is not an approved algorithm.",
  "id": "GHSA-9mrx-mqmg-gwj9",
  "modified": "2026-07-14T15:31:28Z",
  "published": "2025-09-30T15:30:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-9231"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openssl/openssl/commit/567f64386e43683888212226824b6a179885a0fe"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openssl/openssl/commit/cba616c26ac8e7b37de5e77762e505ba5ca51698"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openssl/openssl/commit/eed5adc9f969d77c94f213767acbb41ff923b6f4"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openssl/openssl/commit/fc47a2ec078912b3e914fab5734535e76c4820c2"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-032379.html"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-089022.html"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-253495.html"
    },
    {
      "type": "WEB",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-585531.html"
    },
    {
      "type": "WEB",
      "url": "https://openssl-library.org/news/secadv/20250930.txt"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2025/09/30/5"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2026/05/11/11"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-C2QM-QFP9-HX5M

Vulnerability from github – Published: 2024-03-25 09:32 – Updated: 2024-03-25 09:32
VLAI
Details

Dell PowerScale OneFS 9.5.0.x through 9.7.0.x contain a covert timing channel vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability, leading to denial of service.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-25964"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-385"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-03-25T09:15:09Z",
    "severity": "MODERATE"
  },
  "details": "Dell PowerScale OneFS 9.5.0.x through 9.7.0.x contain a covert timing channel vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability, leading to denial of service.",
  "id": "GHSA-c2qm-qfp9-hx5m",
  "modified": "2024-03-25T09:32:35Z",
  "published": "2024-03-25T09:32:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-25964"
    },
    {
      "type": "WEB",
      "url": "https://www.dell.com/support/kbdoc/en-us/000222691/dsa-2024-062-security-update-for-dell-powerscale-onefs-for-proprietary-code-vulnerabilities"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-C38W-74PG-36HR

Vulnerability from github – Published: 2023-11-28 23:28 – Updated: 2026-04-27 16:45
VLAI
Summary
Marvin Attack: potential key recovery through timing sidechannels
Details

Impact

Due to a non-constant-time implementation, information about the private key is leaked through timing information which is observable over the network. An attacker may be able to use that information to recover the key.

Patches

No patch is yet available, however work is underway to migrate to a fully constant-time implementation.

Workarounds

The only currently available workaround is to avoid using the rsa crate in settings where attackers are able to observe timing information, e.g. local use on a non-compromised computer is fine.

References

This vulnerability was discovered as part of the "Marvin Attack", which revealed several implementations of RSA including OpenSSL had not properly mitigated timing sidechannel attacks.

  • https://rustsec.org/advisories/RUSTSEC-2023-0071.html
  • https://people.redhat.com/~hkario/marvin/
  • https://github.com/RustCrypto/RSA/issues/19
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "rsa"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "0.9.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-49092"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-203",
      "CWE-385"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-11-28T23:28:27Z",
    "nvd_published_at": "2023-11-28T21:15:08Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\nDue to a non-constant-time implementation, information about the private key is leaked through timing information which is observable over the network. An attacker may be able to use that information to recover the key.\n\n### Patches\nNo patch is yet available, however work is underway to migrate to a fully constant-time implementation.\n\n### Workarounds\nThe only currently available workaround is to avoid using the `rsa` crate in settings where attackers are able to observe timing information, e.g. local use on a non-compromised computer is fine.\n\n### References\nThis vulnerability was discovered as part of the \"Marvin Attack\", which revealed several implementations of RSA including OpenSSL had not properly mitigated timing sidechannel attacks.\n\n- https://rustsec.org/advisories/RUSTSEC-2023-0071.html\n- https://people.redhat.com/~hkario/marvin/\n- https://github.com/RustCrypto/RSA/issues/19",
  "id": "GHSA-c38w-74pg-36hr",
  "modified": "2026-04-27T16:45:08Z",
  "published": "2023-11-28T23:28:27Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/RustCrypto/RSA/security/advisories/GHSA-c38w-74pg-36hr"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-49092"
    },
    {
      "type": "WEB",
      "url": "https://github.com/RustCrypto/RSA/issues/19#issuecomment-1822995643"
    },
    {
      "type": "WEB",
      "url": "https://github.com/RustCrypto/RSA/issues/626"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/RustCrypto/RSA"
    },
    {
      "type": "WEB",
      "url": "https://rustsec.org/advisories/RUSTSEC-2023-0071.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Marvin Attack: potential key recovery through timing sidechannels"
}

Mitigation
Architecture and Design

Whenever possible, specify implementation strategies that do not introduce time variances in operations.

Mitigation
Implementation

Often one can artificially manipulate the time which operations take or -- when operations occur -- can remove information from the attacker.

Mitigation
Implementation

It is reasonable to add artificial or random delays so that the amount of CPU time consumed is independent of the action being taken by the application.

CAPEC-462: Cross-Domain Search Timing

An attacker initiates cross domain HTTP / GET requests and times the server responses. The timing of these responses may leak important information on what is happening on the server. Browser's same origin policy prevents the attacker from directly reading the server responses (in the absence of any other weaknesses), but does not prevent the attacker from timing the responses to requests that the attacker issued cross domain.