Skip to content

iPerf3 before 3.17, when used with OpenSSL before 3.2.0...

Unreviewed Published May 14, 2024 to the GitHub Advisory Database • Updated Aug 20, 2024

Package

No package listedSuggest a package

Affected versions

Unknown

Patched versions

Unknown

Description

iPerf3 before 3.17, when used with OpenSSL before 3.2.0 as a server with RSA authentication, allows a timing side channel in RSA decryption operations. This side channel could be sufficient for an attacker to recover credential plaintext. It requires the attacker to send a large number of messages for decryption, as described in "Everlasting ROBOT: the Marvin Attack" by Hubert Kario.

References

Published by the National Vulnerability Database May 14, 2024
Published to the GitHub Advisory Database May 14, 2024
Last updated Aug 20, 2024

Severity

Unknown

EPSS score

0.045%
(17th percentile)

Weaknesses

No CWEs

CVE ID

CVE-2024-26306

GHSA ID

GHSA-x8qh-8j65-v4j9

Source code

No known source code

Dependabot alerts are not supported on this advisory because it does not have a package from a supported ecosystem with an affected and fixed version.

Learn more about GitHub language support

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.