Memory leaks in code encrypting and verifying RSA payloads

2024-03-2018:10:36

CWE-400

CWE-401

GitHub Advisory Database

github.com

memory leaks

rsa encryption

sp 800-56b

denial of service

software

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

6.2 Medium

AI Score

Confidence

High

0.0005 Low

EPSS

Percentile

17.1%

JSON

Using crafted public RSA keys which are not compliant with SP 800-56B can cause a small memory leak when encrypting and verifying payloads.

An attacker can leverage this flaw to gradually erode available memory to the point where the host crashes for lack of resources. Upon restart the attacker would have to begin again, but nevertheless there is the potential to deny service.

Affected configurations

Vulners

Node

github_advisory_databasegithub.com\/microsoft\/go-crypto-openssl\/opensslRange≤0.2.8

github.com\/golangfips\/openssl\/v2Range≤2.0.0

github_advisory_databasegithub.com\/microsoft\/go-crypto-opensslRange≤0.2.8

github.com\/golangfips\/openssl\/opensslRange≤0

github.com\/golangfips\/goRange≤1.22.1

CPENameOperatorVersion
github.com/microsoft/go-crypto-openssl/opensslle0.2.8
github.com/golang-fips/openssl/v2le2.0.0
github.com/microsoft/go-crypto-opensslle0.2.8
github.com/golang-fips/openssl/opensslle0
github.com/golang-fips/gole1.22.1

Name	Operator	Version
github.com/microsoft/go-crypto-openssl/openssl	le	0.2.8
github.com/golang-fips/openssl/v2	le	2.0.0
github.com/microsoft/go-crypto-openssl	le	0.2.8
github.com/golang-fips/openssl/openssl	le	0
github.com/golang-fips/go	le	1.22.1