CVE-2024-0553

2024-01-1612:15:45

Google

osv.dev

gnutls

vulnerability

remote attack

timing side-channel

rsa-psk

sensitive data

incomplete resolution

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

6.4 Medium

AI Score

Confidence

High

0.008 Low

EPSS

Percentile

82.0%

JSON

A vulnerability was found in GnuTLS. The response times to malformed ciphertexts in RSA-PSK ClientKeyExchange differ from the response times of ciphertexts with correct PKCS#1 v1.5 padding. This issue may allow a remote attacker to perform a timing side-channel attack in the RSA-PSK key exchange, potentially leading to the leakage of sensitive data. CVE-2024-0553 is designated as an incomplete resolution for CVE-2023-5981.

CPENameOperatorVersion
gnutlseqgnutls-3_0_12
gnutlseqgnutls_3_6_0
gnutlseqgnutls_1_1_18
gnutlseq3.3.9-r1
gnutlseqgnutls_3_1_2
gnutlseq3.4.6-r0
gnutlseqgnutls_3_0_15
gnutlseqgnutls_3_0_11
gnutlseqgnutls_0_5_0
gnutlseqgnutls_1_0_23

Name	Operator	Version
gnutls	eq	gnutls-3_0_12
gnutls	eq	gnutls_3_6_0
gnutls	eq	gnutls_1_1_18
gnutls	eq	3.3.9-r1
gnutls	eq	gnutls_3_1_2
gnutls	eq	3.4.6-r0
gnutls	eq	gnutls_3_0_15
gnutls	eq	gnutls_3_0_11
gnutls	eq	gnutls_0_5_0
gnutls	eq	gnutls_1_0_23