GHSA-6cr6-fmvc-vw2p
Suggest an improvement- Source
- https://github.com/advisories/GHSA-6cr6-fmvc-vw2p
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/12/GHSA-6cr6-fmvc-vw2p/GHSA-6cr6-fmvc-vw2p.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-6cr6-fmvc-vw2p
- Aliases
-
- CVE-2021-4239
- GHSA-g9mp-8g3h-3c5c
- GO-2022-0425
- Published
- 2022-12-28T00:30:23Z
- Modified
- 2023-11-01T04:56:38.282458Z
- Severity
-
- 7.7 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:H CVSS Calculator
- Summary
- Noise vulnerable to denial of service
- Details
-
Noise is a Go implementation of the Noise Protocol Framework. The Noise protocol implementation suffers from weakened cryptographic security after encrypting 2^64 messages, and a potential denial of service attack. After 2^64 (~18.4 quintillion) messages are encrypted with the Encrypt function, the nonce counter will wrap around, causing multiple messages to be encrypted with the same key and nonce. In a separate issue, the Decrypt function increments the nonce state even when it fails to decrypt a message. If an attacker can provide an invalid input to the Decrypt function, this will cause the nonce state to desynchronize between the peers, resulting in a failure to encrypt all subsequent messages.
- Database specific
{ "github_reviewed": true, "github_reviewed_at": "2022-12-29T01:52:11Z", "severity": "HIGH", "nvd_published_at": "2022-12-27T22:15:00Z", "cwe_ids": [ "CWE-311" ] }- References
Affected packages
Go / github.com/flynn/noise
Package
- Name
- github.com/flynn/noise
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/flynn/noise