ChoeMinji / godot

MIT License
0 stars 0 forks source link

CVE-2024-23170 (Medium) detected in godot3.4.2-stable #64

Open mend-bolt-for-github[bot] opened 7 months ago

mend-bolt-for-github[bot] commented 7 months ago

CVE-2024-23170 - Medium Severity Vulnerability

Vulnerable Library - godot3.4.2-stable

Godot Engine ? Multi-platform 2D and 3D game engine

Library home page: https://github.com/godotengine/godot.git

Found in HEAD commit: 620ad7ae3fef04e165cbc3f2776d3e3bf6cfdc4d

Found in base branch: master

Vulnerable Source Files (1)

/thirdparty/mbedtls/library/rsa.c

Vulnerability Details

An issue was discovered in Mbed TLS 2.x before 2.28.7 and 3.x before 3.5.2. There was a timing side channel in RSA private operations. This side channel could be sufficient for a local attacker to recover the plaintext. It requires the attacker to send a large number of messages for decryption, as described in "Everlasting ROBOT: the Marvin Attack" by Hubert Kario.

Publish Date: 2024-01-31

URL: CVE-2024-23170

CVSS 3 Score Details (5.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://mbed-tls.readthedocs.io/en/latest/security-advisories/mbedtls-security-advisory-2024-01-1/

Release Date: 2024-01-12

Fix Resolution: v2.28.7,v3.5.2


Step up your Open Source Security Game with Mend here