CVE-2024-11862 – devolutions.xts.net

Package

Manager: nuget
Name: devolutions.xts.net
Vulnerable Version: >=0 <2024.11.26

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00031 pctl0.07246

Details

Devolutions.XTS.NET Vulnerable to Timing Attack on GF Multiplications ### Impact Timing attacks on Galois Field multiplications in this package. Successful exploitation would effectively allow a downgrade of the security guarantees of the XTS mode to the security guarantees of ECB mode, allowing block swapping, enabling identification of identical blocks, and rendering half of the XTS key obsolete. Timing attacks require specific conditions to be exploitable. ### Patches Patched in 2024.11.26 ### Workarounds Upgrade the package ### References https://en.wikipedia.org/wiki/Timing_attack

Metadata

Created: 2024-11-27T19:01:01Z
Modified: 2024-11-27T19:01:01Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/11/GHSA-j6vm-4r7g-x4gr/GHSA-j6vm-4r7g-x4gr.json
CWE IDs: ["CWE-385"]
Alternative ID: GHSA-j6vm-4r7g-x4gr
Finding: F115
Auto approve: 1