How severe is CVE-2023-4421?

This vulnerability has a severity rating of MEDIUM with a CVSS score of 6.5 out of 10.

What type of vulnerability is CVE-2023-4421?

This is classified as CWE-203, which is a common weakness in software security.

CVE-2023-4421 - MEDIUM Severity | CVSS 6.5

Vulnerability Description

The NSS code used for checking PKCS#1 v1.5 was leaking information useful in mounting Bleichenbacher-like attacks. Both the overall correctness of the padding as well as the length of the encrypted message was leaking through timing side-channel. By sending large number of attacker-selected ciphertexts, the attacker would be able to decrypt a previously intercepted PKCS#1 v1.5 ciphertext (for example, to decrypt a TLS session that used RSA key exchange), or forge a signature using the victim's key. The issue was fixed by implementing the implicit rejection algorithm, in which the NSS returns a deterministic random message in case invalid padding is detected, as proposed in the Marvin Attack paper. This vulnerability affects NSS < 3.61.

Related Vulnerabilities

CVE-2014-9720

MEDIUM

CVSS:6.5(Medium)

Tornado before 3.2.2 sends arbitrary responses that contain a fixed CSRF token and may be sent with HTTP compression, which makes it easier for remote attackers to conduct a BREACH attack and determin...

CWE-2032014

CVE-2018-10919

MEDIUM

CVSS:6.5(Medium)

The Samba Active Directory LDAP server was vulnerable to an information disclosure flaw because of missing access control checks. An authenticated attacker could use this flaw to extract confidential ...

CWE-2032018

CVE-2019-13456

MEDIUM

CVSS:6.5(Medium)

In FreeRADIUS 3.0 through 3.0.19, on average 1 in every 2048 EAP-pwd handshakes fails because the password element cannot be found within 10 iterations of the hunting and pecking loop. This leaks info...

CWE-2032019

CVE-2020-6400

MEDIUM

CVSS:6.5(Medium)

Inappropriate implementation in CORS in Google Chrome prior to 80.0.3987.87 allowed a remote attacker to leak cross-origin data via a crafted HTML page.

CWE-2032020

CVE-2020-6473

MEDIUM

CVSS:6.5(Medium)

Insufficient policy enforcement in Blink in Google Chrome prior to 83.0.4103.61 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page.

CWE-2032020

CVE-2021-0086

MEDIUM

CVSS:6.5(Medium)

Observable response discrepancy in floating-point operations for some Intel(R) Processors may allow an authorized user to potentially enable information disclosure via local access.

CWE-2032021