CVE-2023-1732 — Vulnetix

Try Vulnetix Request Demo

CVE-2023-1732 PUBLISHED CVSS 5.3 MEDIUM

Reported by cloudflare · Published May 10, 2023

When sampling randomness for a shared secret, the implementation of Kyber and FrodoKEM, did not check whether crypto/rand.Read() returns an error. In rare deployment cases (error thrown by the Read() function), this could lead to a predictable shared secret. The tkn20 and blindrsa components did not check whether enough randomness was returned from the user provided randomness source. Typically the user provides crypto/rand.Reader, which in the vast majority of cases will always return the right number random bytes. In the cases where it does not, or the user provides a source that does not, the blinding for blindrsa is weak and integrity of the plaintext is not ensured in tkn20.

Risk Scores

CVSS v3.1

5.3

CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:N

Affected Products

Vendor	Product	Versions
Cloudflare	CIRCL	0
chainguard	pulumi-language-java	0
wolfi	tekton-pipelines	, , *
github.com	cloudflare/circl	0, 0
Cloudflare	CIRCL	0, 0
chainguard	kyverno-1.8	0
chainguard	tekton-pipelines	*
chainguard	flux-0	, , *
chainguard	aactl	0, 0, 0
wolfi	pulumi-language-java	0, 0, 0
wolfi	aactl	0, 0, 0

Timeline

May 10, 2023 CVE Published
May 11, 2023 EPSS Score
Jun 16, 2023 EPSS Score
Jul 22, 2023 EPSS Score
Aug 27, 2023 EPSS Score
Oct 3, 2023 EPSS Score
Nov 8, 2023 EPSS Score
Dec 14, 2023 EPSS Score
Jan 19, 2024 EPSS Score
Feb 24, 2024 EPSS Score
Mar 31, 2024 EPSS Score
May 6, 2024 EPSS Score

References

Open in Interactive Console →