16 matches found
MAL-2026-4658 Malicious code in rapyd-client (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector fb9b157ff532e1e7c1ccd9ae77aec9a89324f24a5a0f27c1ccd70e430f318b60 Package self-presents as a TypeScript SDK for the Rapyd fintech-as-a-service platform and links https://www.rapyd-client.net/ as if it were Rapyd's...
Astra Linux – Vulnerability in mbedtls
A timing side channel in mbedtlsssldecryptbuf in library/sslmsg.c in Trusted Firmware Mbed TLS from version 2.23.0 allows an attacker to obtain secret key information. This issue affects the CBC mode, as it involves a calculated time difference based on the padding length...
CVE-2026-34076 Clerk JavaScript: SSRF in the opt-in clerkFrontendApiProxy feature may leak secret keys to unintended host
Clerk JavaScript is the official JavaScript repository for Clerk authentication. In @clerk/hono from versions 0.1.0 to before 0.1.5, @clerk/express from versions 2.0.0 to before 2.0.7, @clerk/backend from versions 3.0.0 to before 3.2.3, and @clerk/fastify from versions 3.1.0 to before 3.1.5, the...
Linux Distros Unpatched Vulnerability : CVE-2026-3580
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - In wolfSSL 5.8.4, constant-time masking logic in sp256getentry2569 is optimized into conditional branches bnez by GCC when targeting RISC-V RV32I with -O3. This...
CVE-2025-7432
DPA countermeasures in Silicon Labs' Series 2 devices are not reseeded under certain conditions. This may allow an attacker to eventually extract secret keys through a DPA attack...
GHSA-J8CM-G7R6-HFPQ vodozemac's usage of non-constant time base64 decoder could lead to leakage of secret key material
Versions before 0.7.0 of vodozemac use a non-constant time base64 implementation for importing key material for Megolm group sessions and PkDecryption Ed25519 secret keys. This flaw might allow an attacker to infer some information about the secret key material through a side-channel attack. Impa...
PT-2024-24129 · Open Quantum Safe · Liboqs
Name of the Vulnerable Software and Affected Versions: Open Quantum Safe liboqs version 10.0 Description: An issue in Open Quantum Safe liboqs allows a remote attacker to escalate privileges via the crypto sign signature parameter in the /pqcrystals-dilithium-standard ml-dsa-44-ipd avx2/sign.c...
Timing Attack
github.com/cloudflare/circl is vulnerable to Timing Attack. The vulnerability is caused due to arithmetic operations during ciphertext compression which leaks sensitive timing information. An attacker can learn parts of secret key by exploiting this vulnerability brute force...
CVE-2023-46742
CubeFS is an open-source cloud-native file storage system. CubeFS prior to version 3.3.1 was found to leak users secret keys and access keys in the logs in multiple components. When CubeCS creates new users, it leaks the users secret key. This could allow a lower-privileged user with access to th...
PT-2024-40389 · Openssl · Openssl
Name of the Vulnerable Software and Affected Versions: OpenSSL versions prior to 0.6.2 Description: The issue allows an attacker to learn parts of the secret key when they can time decapsulation and forge cipher texts on certain platforms. This does not affect ephemeral usage, such as regular use...
CVE-2023-26556
io.finnet tss-lib before 2.0.0 can leak a secret key via a timing side-channel attack because it relies on the scalar-multiplication implementation in Go crypto/elliptic, which is not constant time there is an if statement in a loop. One leak is in ecdsa/keygen/round2.go. bnb-chain/tss-lib and...
SUSE CVE-2020-16150
A Lucky 13 timing side channel in mbedtlsssldecryptbuf in library/sslmsg.c in Trusted Firmware Mbed TLS through 2.23.0 allows an attacker to recover secret key information. This affects CBC mode because of a computed time difference based on a padding length...
CVE-2022-29266
In APache APISIX before 3.13.1, the jwt-auth plugin has a security issue that leaks the user's secret key because the error message returned from the dependency lua-resty-jwt contains sensitive information...
PT-2022-2524 · Apache · Apache Apisix
Name of the Vulnerable Software and Affected Versions: Apache APISIX versions prior to 3.13.1 Description: The issue is related to the jwt-auth plugin of Apache APISIX, which has a security problem due to insufficient error reporting mechanisms. This can allow a remote attacker to gain unauthoriz...
Omise: Public and secret api key leaked via omise github repo(owned by omise)
Found secret key of particular omise accounts! Functionality of the public and secret keys are described below: Public key The public key can be used to create tokens via javascript from your customers browsers. This key can be safely exposed to the outside world. Secret key The secret key can be...
Parallels Plesk Panel 12.x Key Disclosure
While auditing the source code for Parallels Plesk Panel 12.x on Linux I noticed the following feature that leads to leakage of the '/etc/psa/private/secretkey'-file in md5 format to non-authenticated users. Parallels responded that the 16byte 'secretkey' should provide sufficient entropy for thi...