CVE-2024-37305

CVSS V2 None CVSS V3 None

Description

oqs-provider is a provider for the OpenSSL 3 cryptography library that adds support for post-quantum cryptography in TLS, X.509, and S/MIME using post-quantum algorithms from liboqs. Flaws have been identified in the way oqs-provider handles lengths decoded with DECODE_UINT32 at the start of serialized hybrid (traditional + post-quantum) keys and signatures. Unchecked length values are later used for memory reads and writes; malformed input can lead to crashes or information leakage. Handling of plain/non-hybrid PQ key operation is not affected. This issue has been patched in in v0.6.1. All users are advised to upgrade. There are no workarounds for this issue.

Overview

CVE ID
CVE-2024-37305

Assigner
GitHub_M

Vulnerability Status
PUBLISHED

Published Version
2024-06-17T19:42:22.091Z

Last Modified Date
2024-06-18T13:42:29.675Z

Weakness Enumerations

CWE	URL
CWE-120	http://cwe.mitre.org/data/definitions/120.html
CWE-130	http://cwe.mitre.org/data/definitions/130.html
CWE-190	http://cwe.mitre.org/data/definitions/190.html
CWE-680	http://cwe.mitre.org/data/definitions/680.html
CWE-805	http://cwe.mitre.org/data/definitions/805.html

References

Reference URL	Reference Tags
https://github.com/open-quantum-safe/oqs-provider/security/advisories/GHSA-pqvr-5cr8-v6fx	x_refsource_CONFIRM
https://github.com/open-quantum-safe/oqs-provider/pull/416	x_refsource_MISC

Sources

Source Name	Source URL
NIST	https://nvd.nist.gov/vuln/detail/CVE-2024-37305
MITRE	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-37305

History

Created	Old Value	New Value	Data Type	Notes
2024-06-26 01:26:20				Added to TrackCVE