CVE-2023-50781 : A flaw was found in m2crypto. This issue may allow a remote attacker to decrypt

A flaw was found in m2crypto. This issue may allow a remote attacker to decrypt captured messages in TLS servers that use RSA key exchanges, which may lead to exposure of confidential or sensitive data.

Published 2024-02-05 21:15:11

Updated 2024-02-26 16:27:48

Source Red Hat, Inc.

View at NVD, CVE.org

Products affected by CVE-2023-50781

Redhat » Enterprise Linux » Version: 8.0
cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux » Version: 9.0
cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:*
Matching versions
Redhat » Update Infrastructure » Version: 4
cpe:2.3:a:redhat:update_infrastructure:4:*:*:*:*:*:*:*
Matching versions
M2crypto Project » M2crypto » Version: N/A
cpe:2.3:a:m2crypto_project:m2crypto:-:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2023-50781

EPSS FAQ

0.36%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 56 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2023-50781

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
7.5	HIGH	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N	3.9	3.6	NIST	2024-02-15
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: None Availability: None
5.9	MEDIUM	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N	2.2	3.6	Red Hat, Inc.	2024-02-05
Attack Vector: Network Attack Complexity: High Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: None Availability: None
7.5	HIGH	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N	3.9	3.6	Red Hat, Inc.	2024-02-26
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: None Availability: None
5.9	MEDIUM	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N	N/A	N/A	RedHat-CVE-2023-50781
Attack Vector: Network Attack Complexity: High Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: None Availability: None

CWE ids for CVE-2023-50781

CWE-203 Observable Discrepancy

The product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor, which exposes security-relevant information about the state of the product, such as whether a particular operation was successful or not.

Assigned by: nvd@nist.gov (Primary)
CWE-208 Observable Timing Discrepancy

Two separate operations in a product require different amounts of time to complete, in a way that is observable to an actor and reveals security-relevant information about the state of the product, such as whether a particular operation was successful or not.

Assigned by: secalert@redhat.com (Secondary)

References for CVE-2023-50781

https://access.redhat.com/security/cve/CVE-2023-50781

cve-details
Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2254426

2254426 – (CVE-2023-50781) CVE-2023-50781 m2crypto: Bleichenbacher timing attacks in the RSA decryption API - incomplete fix for CVE-2020-25657
Issue Tracking

Jump to

Vulnerability Details : CVE-2023-50781

Products affected by CVE-2023-50781

Exploit prediction scoring system (EPSS) score for CVE-2023-50781

CVSS scores for CVE-2023-50781

CWE ids for CVE-2023-50781

References for CVE-2023-50781