CVE-2017-20240

Description

Crypt::PBKDF2 versions before 0.261630 for Perl are vulnerable to timing attacks. These versions use Perl's built-in eq comparison. Discrepancies in timing could be used to guess the underlying derived-key.

CVSS breakdown

CVSS 3.1

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Affected products

ARODLAND / Crypt::PBKDF20 – 0.261630

References

PATCHhttps://github.com/arodland/Crypt-PBKDF2/pull/6
MISChttps://metacpan.org/release/ARODLAND/Crypt-PBKDF2-0.161520/source/lib/Crypt/PBKDF2.pm#L123-148
MISChttps://metacpan.org/release/ARODLAND/Crypt-PBKDF2-0.261630/changes