- Reported
-
- Issued
-
- Package
-
libcrux-poly1305
(crates.io)
- Type
-
Vulnerability
- References
-
- CVSS Score
- 8.7
HIGH
- CVSS Details
-
- Attack Complexity
- Low
- Attack Requirements
- None
- Attack Vector
- Network
- Privileges Required
- None
- Availability Impact to the Subsequent System
- None
- Confidentiality Impact to the Subsequent System
- None
- Integrity Impact to the Subsequent System
- None
- User Interaction
- None
- Availability Impact to the Vulnerable System
- High
- Confidentiality Impact to the Vulnerable System
- None
- Integrity Impact to the Vulnerable System
- None
- CVSS Vector
- CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
- Patched
-
- Affected Functions
- Version
libcrux_poly1305::mac-
Description
An incorrect constant for the key length in libcrux-poly1305 caused
the standalone MAC function libcrux_poly1305::mac to always panic
with an out-of-bounds memory access.
Impact
Applications wishing to use libcrux-poly1305 as a standalone MAC would
experience panics. The use of libcrux-poly1305 in
libcrux-chacha20poly1305 is unaffected.
Mitigation
Starting from version 0.0.5, the correct value is used for the key
length constant.
Advisory available under CC0-1.0
license.