How severe is CVE-2021-4239?

This vulnerability has a severity rating of HIGH with a CVSS score of 7.5 out of 10.

What type of vulnerability is CVE-2021-4239?

This is classified as CWE-311, which is a common weakness in software security.

CVE-2021-4239 - HIGH Severity | CVSS 7.5

Vulnerability Description

The Noise protocol implementation suffers from weakened cryptographic security after encrypting 2^64 messages, and a potential denial of service attack. After 2^64 (~18.4 quintillion) messages are encrypted with the Encrypt function, the nonce counter will wrap around, causing multiple messages to be encrypted with the same key and nonce. In a separate issue, the Decrypt function increments the nonce state even when it fails to decrypt a message. If an attacker can provide an invalid input to the Decrypt function, this will cause the nonce state to desynchronize between the peers, resulting in a failure to encrypt all subsequent messages.

Related Vulnerabilities

CVE-2007-4961

HIGH

CVSS:7.5(High)

The login_to_simulator method in Linden Lab Second Life, as used by the secondlife:// protocol handler and possibly other Second Life login mechanisms, sends an MD5 hash in cleartext in the passwd fie...

CWE-3112007

CVE-2016-10598

HIGH

CVSS:7.5(High)

arrayfire-js is a module for ArrayFire for the Node.js platform. arrayfire-js downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code ...

CWE-3112016

CVE-2016-10608

HIGH

CVSS:7.5(High)

robot-js is a module for native system automation for node.js. robot-js downloads binary resources over HTTP, which leaves it vulnerable to MITM attacks. It may be possible to cause remote code execut...

CWE-3112016

CVE-2017-12817

HIGH

CVSS:7.5(High)

In Kaspersky Internet Security for Android 11.12.4.1622, some of the application trace files were not encrypted.

CWE-3112017

CVE-2017-15581

HIGH

CVSS:7.5(High)

In the "Diary with lock" (aka WriteDiary) application 4.72 for Android, neither HTTPS nor other encryption is used for transmitting data, despite the documentation that the product is intended for "a ...

CWE-3112017

CVE-2017-15609

HIGH

CVSS:7.5(High)

Octopus before 3.17.7 allows attackers to obtain sensitive cleartext information by reading a variable JSON file in certain situations involving Offline Drop Targets.

CWE-3112017