bc-java: BouncyCastle vulnerable to a timing variant of Bleichenbacher (Marvin Attack)

A flaw was found in the Bouncy Castle Java cryptography APIs. Affected versions of the org.bouncycastle:bcprov-jdk18on package are vulnerable to Observable Timing Discrepancy via the PKCS1 1.5 and OAEP decryption process a.k.a. Marvin Attack. An attacker can recover cipher-texts via a side-channe...

OpenTelemetry Collector < 0.107.0 Timing Discrepancy

The OpenTelemetry Collector running on the remote host is prior to 0.107.0. It is, therefore, affected by a timing discrepancy vulnerability, outlined below: The bearertokenauth extension's server authenticator performs a simple, non-constant time string comparison of the received & configured...

Timing Attack

github.com/open-telemetry/opentelemetry-collector-contrib is vulnerable to Timing Attack. The vulnerability is due to the improper implementation of non-constant time string comparison in the bearertokenauth server authenticator, which allows attackers to infer the correct bearer token based on...

CVE-2024-42368 open-telemetry has an Observable Timing Discrepancy

OpenTelemetry, also known as OTel, is a vendor-neutral open source Observability framework for instrumenting, generating, collecting, and exporting telemetry data such as traces, metrics, and logs. The bearertokenauth extension's server authenticator performs a simple, non-constant time string...

CVE-2024-42368

The CVE-2024-42368 issue affects the bearertokenauth server authenticator in OpenTelemetry Collector contributions. A timing-discrepancy arises from non-constant time string comparisons of bearer tokens, enabling a network-adjacent attacker to infer the configured token by measuring response time...

CVE-2024-42368 open-telemetry has an Observable Timing Discrepancy

OpenTelemetry, also known as OTel, is a vendor-neutral open source Observability framework for instrumenting, generating, collecting, and exporting telemetry data such as traces, metrics, and logs. The bearertokenauth extension's server authenticator performs a simple, non-constant time string...

bc-java: BouncyCastle vulnerable to a timing variant of Bleichenbacher (Marvin Attack)

A flaw was found in the Bouncy Castle Java cryptography APIs. Affected versions of the org.bouncycastle:bcprov-jdk18on package are vulnerable to Observable Timing Discrepancy via the PKCS1 1.5 and OAEP decryption process a.k.a. Marvin Attack. An attacker can recover cipher-texts via a side-channe...

Security Bulletin: Denial of service and remote code execution might affect IBM Storage Defender – Resiliency Service

Summary IBM Storage Defender – Resiliency Service is vulnerable and can result in data confidentiality and service availabilty issues. The vulnerabilities have been addressed. CVE-2024-6387, CVE-2024-39329, CVE-2024-38875, CVE-2024-39614, CVE-2024-39330, CVE-2024-21520, CVE-2024-39689,...

bc-java: BouncyCastle vulnerable to a timing variant of Bleichenbacher (Marvin Attack)

A flaw was found in the Bouncy Castle Java cryptography APIs. Affected versions of the org.bouncycastle:bcprov-jdk18on package are vulnerable to Observable Timing Discrepancy via the PKCS1 1.5 and OAEP decryption process a.k.a. Marvin Attack. An attacker can recover cipher-texts via a side-channe...

SUSE SLES15: libfreebl3 / libfreebl3-32bit / libsoftokn3 / libsoftokn3-32bit / etc (SUSE-SU-2024:2600-1)

The remote SUSE Linux SLES15 / SLESSAP15 host has packages installed that are affected by a vulnerability as referenced in the SUSE-SU-2024:2600-1 advisory. - FIPS: Added more safe memset bsc1222811. - FIPS: Adjusted AES GCM restrictions bsc1222830. - FIPS: Adjusted approved ciphers bsc1222813,...

Huawei EulerOS: Security Advisory for python-cryptography (EulerOS-SA-2024-1990)

The remote host is missing an update for the Huawei EulerOS SPDX-FileCopyrightText: 2024 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

CVE-2024-39329

A vulnerability was found in Python-Django in the django.contrib.auth.backends.ModelBackend.authenticate method. This flaw allows remote attackers to enumerate users via a timing attack involving login requests for users with unusable passwords. Mitigation Mitigation for this issue is either not...

EulerOS Virtualization 2.10.1 : python-cryptography (EulerOS-SA-2024-2008)

According to the versions of the python-cryptography package installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : python-cryptography 3.2 is vulnerable to Bleichenbacher timing attacks in the RSA decryption API, via timed processing ...

GHSA-J8CM-G7R6-HFPQ vodozemac's usage of non-constant time base64 decoder could lead to leakage of secret key material

Versions before 0.7.0 of vodozemac use a non-constant time base64 implementation for importing key material for Megolm group sessions and PkDecryption Ed25519 secret keys. This flaw might allow an attacker to infer some information about the secret key material through a side-channel attack. Impa...

Security Bulletin: Vulnerability with The Bouncy Castle Crypto affect IBM Cloud Object Storage Systems (July 2024v2)

Summary Vulnerability with The Bouncy Castle CryptoCVE-2024-29857, , Snappy CVE-2024-36124, CVE-2024-30171, CVE-2024-30172, This vulnerability has been addressed in the latest ClevOS release Vulnerability Details CVEID:CVE-2024-29857 DESCRIPTION: The Bouncy Castle Crypto Package For Java is...

CVE-2023-41093

Use After Free vulnerability in Silicon Labs Bluetooth SDK on 32 bit, ARM may allow an attacker with precise timing capabilities to intercept a small number of packets intended for a recipient that has left the network.This issue affects Silabs Bluetooth SDK: through 8.0.0...

bc-java: BouncyCastle vulnerable to a timing variant of Bleichenbacher (Marvin Attack)

A flaw was found in the Bouncy Castle Java cryptography APIs. Affected versions of the org.bouncycastle:bcprov-jdk18on package are vulnerable to Observable Timing Discrepancy via the PKCS1 1.5 and OAEP decryption process a.k.a. Marvin Attack. An attacker can recover cipher-texts via a side-channe...

USN-6888-2: Django vulnerabilities

USN-6888-1 fixed several vulnerabilities in Django. This update provides the corresponding update for Ubuntu 18.04 LTS. Original advisory details: Elias Myllymäki discovered that Django incorrectly handled certain inputs with a large number of brackets. A remote attacker could possibly use this...

Timing Attack

Django is vulnerable to a Timing Attack. The vulnerability is due to the django.contrib.auth.backends.ModelBackend.authenticate method, allowing remote attackers to enumerate users via login requests with an unusable password...

Ubuntu 18.04 LTS : Django vulnerabilities (USN-6888-2)

The remote Ubuntu 18.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-6888-2 advisory. USN-6888-1 fixed several vulnerabilities in Django. This update provides the corresponding update for Ubuntu 18.04 LTS. Tenable has extracted the precedi...