Django REST framework

Lookup for vulnerable packages by Package URL.

Purl pkg:pypi/pypqc@0.0.6.post1

Type pypi

Namespace

Name pypqc

Version 0.0.6.post1

Qualifiers

Subpath

Is_vulnerable true

Next_non_vulnerable_version 0.0.7.0a2

Latest_non_vulnerable_version 0.0.7.0a2

Affected_by_vulnerabilities

url VCID-4t6v-gd4e-qycv

vulnerability_id VCID-4t6v-gd4e-qycv

summary

pypqc private key retrieval vulnerability
### Impact
For `kyber512`, `kyber768`, and `kyber1024` only: An attacker able to submit many ciphertexts against a single private key, and to get responses in real-time, could recover the private key. This attack has been named KyberSlash

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N/E:F/RL:O/RC:C

### Patches
Version 0.0.6.1 and newer of PyPQC is patched.

### Workarounds
No workarounds have been reported. The 0.0.6 -> 0.0.6.1 upgrade should be a drop-in replacement; it has no known breaking changes.

### References
1. This was partially patched ("KyberSlash 1") in the reference implementation by Peter Schwabe on December 1st, 2023.  
   https://www.github.com/pq-crystals/kyber/commit/dda29cc63af721981ee2c831cf00822e69be3220

2. This was reported as a security vulnerability by Daniel J. Bernstein on December 15th, 2023.  
   https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/hWqFJCucuj4/m/-Z-jm_k9AAAJ

3. A webpage was stood up for authoritative reference about this by Daniel J. Bernstein on December 19th, 2023.  
   https://kyberslash.cr.yp.to/

4. This was acknowledged as a security vulnerability by Thom Wiggers on December 19th, 2023.  
   https://www.github.com/PQClean/PQClean/issues/533

5. This was completely patched ("KyberSlash 2") in the reference implementation by Peter Schwabe on December 29th, 2023.
   https://www.github.com/pq-crystals/kyber/commit/11d00ff1f20cfca1f72d819e5a45165c1e0a2816

6. Further details were reported by Prasanna Ravi and Matthias Kannwischer on December 30th, 2023.  
   https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/ldX0ThYJuBo/m/ovODsdY7AwAJ

7. A proof-of-concept exploit was published by Daniel J. Bernstein on December 30th, 2023.  
   https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/ldX0ThYJuBo/m/uIOqRF5BAwAJ

8. This was completely patched in upstream by Thom Wiggers on January 25th, 2024.  
   https://www.github.com/PQClean/PQClean/pull/534#event-11595728485

9. This was completely patched in pypqc \(including upload to PyPI\) on January 26th, 2024.  
   https://www.github.com/JamesTheAwesomeDude/pypqc/commit/b33fec8cd36e865f8db6215c64b2d01f429a1ed6

references

reference_url

https://github.com/JamesTheAwesomeDude/pypqc

reference_id

reference_type

scores

value	8.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/JamesTheAwesomeDude/pypqc

reference_url

https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/hWqFJCucuj4/m/-Z-jm_k9AAAJ

reference_id

reference_type

scores

value	8.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/hWqFJCucuj4/m/-Z-jm_k9AAAJ

reference_url

https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/ldX0ThYJuBo/m/uIOqRF5BAwAJ

reference_id

reference_type

scores

value	8.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/ldX0ThYJuBo/m/uIOqRF5BAwAJ

reference_url

https://kyberslash.cr.yp.to

reference_id

reference_type

scores

value	8.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://kyberslash.cr.yp.to

reference_url

https://www.github.com/JamesTheAwesomeDude/pypqc/commit/b33fec8cd36e865f8db6215c64b2d01f429a1ed6

reference_id

reference_type

scores

value	8.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://www.github.com/JamesTheAwesomeDude/pypqc/commit/b33fec8cd36e865f8db6215c64b2d01f429a1ed6

reference_url

https://www.github.com/PQClean/PQClean/issues/533

reference_id

reference_type

scores

value	8.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://www.github.com/PQClean/PQClean/issues/533

reference_url

https://www.github.com/PQClean/PQClean/pull/534#event-11595728485

reference_id

reference_type

scores

value	8.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://www.github.com/PQClean/PQClean/pull/534#event-11595728485

reference_url

https://www.github.com/pq-crystals/kyber/commit/11d00ff1f20cfca1f72d819e5a45165c1e0a2816

reference_id

reference_type

scores

value	8.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://www.github.com/pq-crystals/kyber/commit/11d00ff1f20cfca1f72d819e5a45165c1e0a2816

reference_url

https://www.github.com/pq-crystals/kyber/commit/dda29cc63af721981ee2c831cf00822e69be3220

reference_id

reference_type

scores

value	8.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://www.github.com/pq-crystals/kyber/commit/dda29cc63af721981ee2c831cf00822e69be3220

reference_url

https://github.com/advisories/GHSA-rc4p-p3j9-6577

reference_id

GHSA-rc4p-p3j9-6577

reference_type

scores

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-rc4p-p3j9-6577

reference_url

https://github.com/JamesTheAwesomeDude/pypqc/security/advisories/GHSA-rc4p-p3j9-6577

reference_id

GHSA-rc4p-p3j9-6577

reference_type

scores

value	8.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/JamesTheAwesomeDude/pypqc/security/advisories/GHSA-rc4p-p3j9-6577

fixed_packages

url pkg:pypi/pypqc@0.0.6.1

purl pkg:pypi/pypqc@0.0.6.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-u7sk-kf9y-13gh

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/pypqc@0.0.6.1

aliases GHSA-rc4p-p3j9-6577, GMS-2024-382

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-4t6v-gd4e-qycv

url VCID-u7sk-kf9y-13gh

vulnerability_id VCID-u7sk-kf9y-13gh

summary

Observable Timing Discrepancy in pypqc
`kyber512`, `kyber768`, and `kyber1024` on Mac OS \(or when compiled with clang\) only: An attacker able to submit many decapsulation requests against a single private key, and to gain timing information about the decapsulation, could recover the private key. Proof-of-concept exploit exists for a local attacker.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N/E:P/RL:U/RC:C

references

reference_url

https://github.com/JamesTheAwesomeDude/pypqc

reference_id

reference_type

scores

value	8.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N/E:P/RL:U/RC:C

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/JamesTheAwesomeDude/pypqc

reference_url

https://github.com/PQClean/PQClean/issues/556

reference_id

reference_type

scores

value	8.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N/E:P/RL:U/RC:C

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/PQClean/PQClean/issues/556

reference_url

https://github.com/advisories/GHSA-hvh4-5qr6-3v7r

reference_id

GHSA-hvh4-5qr6-3v7r

reference_type

scores

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-hvh4-5qr6-3v7r

reference_url

https://github.com/JamesTheAwesomeDude/pypqc/security/advisories/GHSA-hvh4-5qr6-3v7r

reference_id

GHSA-hvh4-5qr6-3v7r

reference_type

scores

value	8.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N/E:P/RL:U/RC:C

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/JamesTheAwesomeDude/pypqc/security/advisories/GHSA-hvh4-5qr6-3v7r

fixed_packages

url	pkg:pypi/pypqc@0.0.7.0a2
purl	pkg:pypi/pypqc@0.0.7.0a2
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:pypi/pypqc@0.0.7.0a2

aliases GHSA-hvh4-5qr6-3v7r

risk_score 4.0

exploitability 0.5

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-u7sk-kf9y-13gh

Fixing_vulnerabilities

Risk_score null

Resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/pypqc@0.0.6.post1

Package Instance