hmac.compare_digest() accumulator not constant-time

2023-08-2400:00:00

Google

osv.dev

hmac

python

security

optimization

variable

5.9 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

7.1 High

AI Score

Confidence

Low

0.001 Low

EPSS

Percentile

23.9%

JSON

An issue was discovered in compare_digest in Lib/hmac.py in Python through 3.9.1. Constant-time-defeating optimisations were possible in the accumulator variable in hmac.compare_digest.

CPENameOperatorVersion
cpythoneq2.5a0
cpythoneq1.2b3
cpythoneq3.9.0
cpythoneq3.8.0b2
cpythoneq3.8.6rc1
cpythoneq3.5.0
cpythoneq3.9.0a5
cpythoneq3.8.3rc1
cpythoneq3.2.3rc1
cpythoneq2.7.3rc1

Name	Operator	Version
cpython	eq	2.5a0
cpython	eq	1.2b3
cpython	eq	3.9.0
cpython	eq	3.8.0b2
cpython	eq	3.8.6rc1
cpython	eq	3.5.0
cpython	eq	3.9.0a5
cpython	eq	3.8.3rc1
cpython	eq	3.2.3rc1
cpython	eq	2.7.3rc1