VulnerableCode Vulnerability Details

Search for vulnerabilities

Vulnerability details: VCID-ur7f-5ey8-aaak

Essentials
Severities (100)
References (31)
Severity details (13)
Exploits (0)
EPSS
History (0)

Vulnerability ID	VCID-ur7f-5ey8-aaak
Aliases	CVE-2022-4304 GHSA-p52g-cm5j-mjv4
Summary	A timing based side channel exists in the OpenSSL RSA Decryption implementation which could be sufficient to recover a plaintext across a network in a Bleichenbacher style attack. To achieve a successful decryption an attacker would have to be able to send a very large number of trial messages for decryption. The vulnerability affects all RSA padding modes: PKCS#1 v1.5, RSA-OEAP and RSASVE. For example, in a TLS connection, RSA is commonly used by a client to send an encrypted pre-master secret to the server. An attacker that had observed a genuine connection between a client and a server could use this flaw to send trial messages to the server and record the time taken to process them. After a sufficiently large number of messages the attacker could recover the pre-master secret used for the original connection and thus be able to decrypt the application data sent over that connection.
Status	Published
Exploitability	0.5
Weighted Severity	6.2
Risk	3.1
Affected and Fixed Packages	Package Details

Weaknesses (3)

CWE-203	Observable Discrepancy
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
cvssv3	5.9	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-4304.json
epss	0.00175	https://api.first.org/data/v1/epss?cve=CVE-2022-4304
epss	0.00175	https://api.first.org/data/v1/epss?cve=CVE-2022-4304
epss	0.00175	https://api.first.org/data/v1/epss?cve=CVE-2022-4304
epss	0.00175	https://api.first.org/data/v1/epss?cve=CVE-2022-4304
epss	0.00175	https://api.first.org/data/v1/epss?cve=CVE-2022-4304
epss	0.00175	https://api.first.org/data/v1/epss?cve=CVE-2022-4304
epss	0.00175	https://api.first.org/data/v1/epss?cve=CVE-2022-4304
epss	0.00175	https://api.first.org/data/v1/epss?cve=CVE-2022-4304
epss	0.00175	https://api.first.org/data/v1/epss?cve=CVE-2022-4304
epss	0.00175	https://api.first.org/data/v1/epss?cve=CVE-2022-4304
epss	0.00175	https://api.first.org/data/v1/epss?cve=CVE-2022-4304
epss	0.00175	https://api.first.org/data/v1/epss?cve=CVE-2022-4304
epss	0.00175	https://api.first.org/data/v1/epss?cve=CVE-2022-4304
epss	0.00175	https://api.first.org/data/v1/epss?cve=CVE-2022-4304
epss	0.00175	https://api.first.org/data/v1/epss?cve=CVE-2022-4304
epss	0.00175	https://api.first.org/data/v1/epss?cve=CVE-2022-4304
epss	0.00186	https://api.first.org/data/v1/epss?cve=CVE-2022-4304
epss	0.00186	https://api.first.org/data/v1/epss?cve=CVE-2022-4304
epss	0.00186	https://api.first.org/data/v1/epss?cve=CVE-2022-4304
epss	0.00191	https://api.first.org/data/v1/epss?cve=CVE-2022-4304
epss	0.00191	https://api.first.org/data/v1/epss?cve=CVE-2022-4304
epss	0.00237	https://api.first.org/data/v1/epss?cve=CVE-2022-4304
epss	0.00242	https://api.first.org/data/v1/epss?cve=CVE-2022-4304
epss	0.00242	https://api.first.org/data/v1/epss?cve=CVE-2022-4304
epss	0.00242	https://api.first.org/data/v1/epss?cve=CVE-2022-4304
epss	0.00242	https://api.first.org/data/v1/epss?cve=CVE-2022-4304
epss	0.00242	https://api.first.org/data/v1/epss?cve=CVE-2022-4304
epss	0.00242	https://api.first.org/data/v1/epss?cve=CVE-2022-4304
epss	0.00242	https://api.first.org/data/v1/epss?cve=CVE-2022-4304
epss	0.00242	https://api.first.org/data/v1/epss?cve=CVE-2022-4304
epss	0.00242	https://api.first.org/data/v1/epss?cve=CVE-2022-4304
epss	0.00242	https://api.first.org/data/v1/epss?cve=CVE-2022-4304
epss	0.00242	https://api.first.org/data/v1/epss?cve=CVE-2022-4304
epss	0.00242	https://api.first.org/data/v1/epss?cve=CVE-2022-4304
epss	0.00242	https://api.first.org/data/v1/epss?cve=CVE-2022-4304
epss	0.00242	https://api.first.org/data/v1/epss?cve=CVE-2022-4304
epss	0.00242	https://api.first.org/data/v1/epss?cve=CVE-2022-4304
epss	0.00242	https://api.first.org/data/v1/epss?cve=CVE-2022-4304
epss	0.00242	https://api.first.org/data/v1/epss?cve=CVE-2022-4304
epss	0.00242	https://api.first.org/data/v1/epss?cve=CVE-2022-4304
epss	0.00242	https://api.first.org/data/v1/epss?cve=CVE-2022-4304
epss	0.00242	https://api.first.org/data/v1/epss?cve=CVE-2022-4304
epss	0.00242	https://api.first.org/data/v1/epss?cve=CVE-2022-4304
epss	0.00242	https://api.first.org/data/v1/epss?cve=CVE-2022-4304
epss	0.00242	https://api.first.org/data/v1/epss?cve=CVE-2022-4304
epss	0.00242	https://api.first.org/data/v1/epss?cve=CVE-2022-4304
epss	0.00242	https://api.first.org/data/v1/epss?cve=CVE-2022-4304
epss	0.00242	https://api.first.org/data/v1/epss?cve=CVE-2022-4304
epss	0.00242	https://api.first.org/data/v1/epss?cve=CVE-2022-4304
epss	0.00242	https://api.first.org/data/v1/epss?cve=CVE-2022-4304
epss	0.00242	https://api.first.org/data/v1/epss?cve=CVE-2022-4304
epss	0.00242	https://api.first.org/data/v1/epss?cve=CVE-2022-4304
epss	0.00242	https://api.first.org/data/v1/epss?cve=CVE-2022-4304
epss	0.00242	https://api.first.org/data/v1/epss?cve=CVE-2022-4304
epss	0.00242	https://api.first.org/data/v1/epss?cve=CVE-2022-4304
epss	0.00242	https://api.first.org/data/v1/epss?cve=CVE-2022-4304
epss	0.00242	https://api.first.org/data/v1/epss?cve=CVE-2022-4304
epss	0.00242	https://api.first.org/data/v1/epss?cve=CVE-2022-4304
epss	0.00242	https://api.first.org/data/v1/epss?cve=CVE-2022-4304
epss	0.00242	https://api.first.org/data/v1/epss?cve=CVE-2022-4304
epss	0.00242	https://api.first.org/data/v1/epss?cve=CVE-2022-4304
epss	0.00242	https://api.first.org/data/v1/epss?cve=CVE-2022-4304
epss	0.00242	https://api.first.org/data/v1/epss?cve=CVE-2022-4304
epss	0.00242	https://api.first.org/data/v1/epss?cve=CVE-2022-4304
epss	0.00242	https://api.first.org/data/v1/epss?cve=CVE-2022-4304
epss	0.00242	https://api.first.org/data/v1/epss?cve=CVE-2022-4304
epss	0.00242	https://api.first.org/data/v1/epss?cve=CVE-2022-4304
epss	0.00242	https://api.first.org/data/v1/epss?cve=CVE-2022-4304
epss	0.00242	https://api.first.org/data/v1/epss?cve=CVE-2022-4304
epss	0.00242	https://api.first.org/data/v1/epss?cve=CVE-2022-4304
epss	0.00242	https://api.first.org/data/v1/epss?cve=CVE-2022-4304
epss	0.00249	https://api.first.org/data/v1/epss?cve=CVE-2022-4304
epss	0.00249	https://api.first.org/data/v1/epss?cve=CVE-2022-4304
epss	0.00249	https://api.first.org/data/v1/epss?cve=CVE-2022-4304
epss	0.00249	https://api.first.org/data/v1/epss?cve=CVE-2022-4304
epss	0.00249	https://api.first.org/data/v1/epss?cve=CVE-2022-4304
epss	0.00249	https://api.first.org/data/v1/epss?cve=CVE-2022-4304
epss	0.00249	https://api.first.org/data/v1/epss?cve=CVE-2022-4304
epss	0.00249	https://api.first.org/data/v1/epss?cve=CVE-2022-4304
epss	0.00249	https://api.first.org/data/v1/epss?cve=CVE-2022-4304
epss	0.00249	https://api.first.org/data/v1/epss?cve=CVE-2022-4304
epss	0.00249	https://api.first.org/data/v1/epss?cve=CVE-2022-4304
epss	0.00249	https://api.first.org/data/v1/epss?cve=CVE-2022-4304
epss	0.00249	https://api.first.org/data/v1/epss?cve=CVE-2022-4304
epss	0.00249	https://api.first.org/data/v1/epss?cve=CVE-2022-4304
epss	0.00249	https://api.first.org/data/v1/epss?cve=CVE-2022-4304
epss	0.01308	https://api.first.org/data/v1/epss?cve=CVE-2022-4304
cvssv3.1	5.9	https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1_qr	MODERATE	https://github.com/advisories/GHSA-p52g-cm5j-mjv4
cvssv3	5.9	https://nvd.nist.gov/vuln/detail/CVE-2022-4304
cvssv3.1	5.9	https://nvd.nist.gov/vuln/detail/CVE-2022-4304
cvssv3.1	5.9	https://rustsec.org/advisories/RUSTSEC-2023-0007.html
generic_textual	MODERATE	https://rustsec.org/advisories/RUSTSEC-2023-0007.html
cvssv3.1	5.9	https://security.gentoo.org/glsa/202402-08
ssvc	Track	https://security.gentoo.org/glsa/202402-08
cvssv3.1	5.9	https://www.openssl.org/news/secadv/20230207.txt
cvssv3.1	7.4	https://www.openssl.org/news/secadv/20230207.txt
generic_textual	HIGH	https://www.openssl.org/news/secadv/20230207.txt
ssvc	Track	https://www.openssl.org/news/secadv/20230207.txt

Reference id	Reference type	URL
		https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-4304.json
		https://api.first.org/data/v1/epss?cve=CVE-2022-4304
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2097
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-4304
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-4450
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0215
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0286
		https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
		https://rustsec.org/advisories/RUSTSEC-2023-0007.html
		https://www.openssl.org/news/secadv/20230207.txt
2164487		https://bugzilla.redhat.com/show_bug.cgi?id=2164487
cpe:2.3:a:openssl:openssl::::::::		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:openssl:openssl::::::::
cpe:2.3:a:stormshield:endpoint_security::::::::		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:stormshield:endpoint_security::::::::
cpe:2.3:a:stormshield:sslvpn::::::::		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:stormshield:sslvpn::::::::
cpe:2.3:a:stormshield:stormshield_network_security::::::::		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:stormshield:stormshield_network_security::::::::
CVE-2022-4304		https://nvd.nist.gov/vuln/detail/CVE-2022-4304
GHSA-p52g-cm5j-mjv4		https://github.com/advisories/GHSA-p52g-cm5j-mjv4
GLSA-202402-08		https://security.gentoo.org/glsa/202402-08
RHSA-2023:0946		https://access.redhat.com/errata/RHSA-2023:0946
RHSA-2023:1199		https://access.redhat.com/errata/RHSA-2023:1199
RHSA-2023:1405		https://access.redhat.com/errata/RHSA-2023:1405
RHSA-2023:2165		https://access.redhat.com/errata/RHSA-2023:2165
RHSA-2023:2932		https://access.redhat.com/errata/RHSA-2023:2932
RHSA-2023:3354		https://access.redhat.com/errata/RHSA-2023:3354
RHSA-2023:3355		https://access.redhat.com/errata/RHSA-2023:3355
RHSA-2023:3408		https://access.redhat.com/errata/RHSA-2023:3408
RHSA-2023:3420		https://access.redhat.com/errata/RHSA-2023:3420
RHSA-2023:3421		https://access.redhat.com/errata/RHSA-2023:3421
RHSA-2023:4128		https://access.redhat.com/errata/RHSA-2023:4128
USN-5844-1		https://usn.ubuntu.com/5844-1/
USN-6564-1		https://usn.ubuntu.com/6564-1/

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-4304.json

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2022-4304

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2022-4304

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://rustsec.org/advisories/RUSTSEC-2023-0007.html

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://security.gentoo.org/glsa/202402-08

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-06T15:57:19Z/ Found at https://security.gentoo.org/glsa/202402-08

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://www.openssl.org/news/secadv/20230207.txt

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H Found at https://www.openssl.org/news/secadv/20230207.txt

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-06T15:57:19Z/ Found at https://www.openssl.org/news/secadv/20230207.txt

Exploit Prediction Scoring System (EPSS)

Percentile	0.55279
EPSS Score	0.00175
Published At	Nov. 1, 2024, midnight

Date	Actor	Action	Source	VulnerableCode Version
There are no relevant records.