Observable Discrepancy

CVE-2018-16869

Medium

5.7/10

Summary

A Bleichenbacher type side-channel based padding oracle attack was found in the way nettle handles endian conversion of RSA decrypted PKCS#1 v1.5 data. An attacker who is able to run a process on the same physical core as the victim process, could use this flaw extract plaintext or in some cases downgrade any TLS connections to a vulnerable server.

Attack Complexity: HIGH
Attack Vector: PHYSICAL
Integrity Impact: LOW
Scope: CHANGED
User Interaction: NONE
Privileges Required: NONE
Confidentiality Impact: HIGH
Availability Impact: NONE

CWE-203 - Observable Discrepancy

The product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor, which exposes security-relevant information about the state of the product, such as whether a particular operation was successful or not.

References

Advisory Timeline

Published Dec 03, 2018

Observable Discrepancy

CVE-2018-16869

Summary

CWE-203 - Observable Discrepancy

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS