Observable Timing Discrepancy

CVE-2024-42512

High

8.6/10

Summary

Vulnerability in the OPC UA .NET Standard Stack, allows an unauthorized attacker to bypass application authentication when the deprecated "Basic128Rsa15" security policy is enabled. This issue affects OPCFoundation.NetStandard.Opc.Ua.Core package versions prior to 1.5.374.158.

Attack Complexity: LOW
Attack Vector: NETWORK
Integrity Impact: LOW
Scope: UNCHANGED
User Interaction: NONE
Privileges Required: NONE
Confidentiality Impact: HIGH
Availability Impact: LOW

CWE-208 - Observable Timing Discrepancy

Two separate operations in a product require different amounts of time to complete, in a way that is observable to an actor and reveals security-relevant information about the state of the product, such as whether a particular operation was successful or not.

References

Main
Duplicate
Release Note
Pull request
Disclosure

Advisory Timeline

Published Feb 10, 2025

Observable Timing Discrepancy

CVE-2024-42512

Summary

CWE-208 - Observable Timing Discrepancy

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS