Django REST framework

Vulnerability Instance

Lookup for vulnerabilities affecting packages.

Vulnerability_idVCID-u7sk-kf9y-13gh
Summary
Observable Timing Discrepancy in pypqc
`kyber512`, `kyber768`, and `kyber1024` on Mac OS \(or when compiled with clang\) only: An attacker able to submit many decapsulation requests against a single private key, and to gain timing information about the decapsulation, could recover the private key. Proof-of-concept exploit exists for a local attacker.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N/E:P/RL:U/RC:C
Aliases
0
alias GHSA-hvh4-5qr6-3v7r
Fixed_packages
0
url pkg:pypi/pypqc@0.0.7.0a2
purl pkg:pypi/pypqc@0.0.7.0a2
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/pypqc@0.0.7.0a2
Affected_packages
0
url pkg:pypi/pypqc@0.0.4
purl pkg:pypi/pypqc@0.0.4
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-4t6v-gd4e-qycv
1
vulnerability VCID-u7sk-kf9y-13gh
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/pypqc@0.0.4
1
url pkg:pypi/pypqc@0.0.6
purl pkg:pypi/pypqc@0.0.6
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-4t6v-gd4e-qycv
1
vulnerability VCID-u7sk-kf9y-13gh
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/pypqc@0.0.6
2
url pkg:pypi/pypqc@0.0.6.post1
purl pkg:pypi/pypqc@0.0.6.post1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-4t6v-gd4e-qycv
1
vulnerability VCID-u7sk-kf9y-13gh
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/pypqc@0.0.6.post1
3
url pkg:pypi/pypqc@0.0.6.1
purl pkg:pypi/pypqc@0.0.6.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-u7sk-kf9y-13gh
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/pypqc@0.0.6.1
4
url pkg:pypi/pypqc@0.0.6.1.post1
purl pkg:pypi/pypqc@0.0.6.1.post1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-u7sk-kf9y-13gh
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/pypqc@0.0.6.1.post1
5
url pkg:pypi/pypqc@0.0.6.2rc1
purl pkg:pypi/pypqc@0.0.6.2rc1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-u7sk-kf9y-13gh
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/pypqc@0.0.6.2rc1
6
url pkg:pypi/pypqc@0.0.6.2
purl pkg:pypi/pypqc@0.0.6.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-u7sk-kf9y-13gh
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/pypqc@0.0.6.2
References
0
reference_url https://github.com/JamesTheAwesomeDude/pypqc
reference_id
reference_type
scores
0
value 8.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N/E:P/RL:U/RC:C
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/JamesTheAwesomeDude/pypqc
1
reference_url https://github.com/PQClean/PQClean/issues/556
reference_id
reference_type
scores
0
value 8.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N/E:P/RL:U/RC:C
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/PQClean/PQClean/issues/556
2
reference_url https://github.com/advisories/GHSA-hvh4-5qr6-3v7r
reference_id GHSA-hvh4-5qr6-3v7r
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-hvh4-5qr6-3v7r
3
reference_url https://github.com/JamesTheAwesomeDude/pypqc/security/advisories/GHSA-hvh4-5qr6-3v7r
reference_id GHSA-hvh4-5qr6-3v7r
reference_type
scores
0
value 8.2
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N/E:P/RL:U/RC:C
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/JamesTheAwesomeDude/pypqc/security/advisories/GHSA-hvh4-5qr6-3v7r
Weaknesses
0
cwe_id 208
name Observable Timing Discrepancy
description Two separate operations in a product require different amounts of time to complete, in a way that is observable to an actor and reveals security-relevant information about the state of the product, such as whether a particular operation was successful or not.
1
cwe_id 937
name OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
description Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013.
2
cwe_id 1035
name OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
description Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017.
3
cwe_id 385
name Covert Timing Channel
description Covert timing channels convey information by modulating some aspect of system behavior over time, so that the program receiving the information can observe system behavior and infer protected information.
4
cwe_id 733
name Compiler Optimization Removal or Modification of Security-critical Code
description The developer builds a security-critical protection mechanism into the software, but the compiler optimizes the program such that the mechanism is removed or modified.
Exploits
Severity_range_score7.0 - 8.9
Exploitability0.5
Weighted_severity8.0
Risk_score4.0
Resource_urlhttp://public2.vulnerablecode.io/vulnerabilities/VCID-u7sk-kf9y-13gh