CVE-2022-48570 — Out-of-bounds Write in Crypto

CWE-787 — Out-of-bounds Write5 documents5 sources

Severity

7.5HIGHNVD

OSV5.9

EPSS

0.5%

top 33.03%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Cryptopp Crypto Debian Libcrypto

Timeline

PublishedAug 22

Latest updateAug 29

Description

Crypto++ through 8.4 contains a timing side channel in ECDSA signature generation. Function FixedSizeAllocatorWithCleanup could write to memory outside of the allocation if the allocated memory was not 16-byte aligned. NOTE: this issue exists because the CVE-2019-14318 fix was intentionally removed for functionality reasons.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

▶NVDcryptopp/crypto8.4.0

▶debiandebian/libcrypto

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

CVE-2022-48570: Crypto++ through 8↗2023-08-22

▶

GHSA

GHSA-mgx5-qmrg-fjwp: Crypto++ through 8↗2023-08-22

▶

📋Vendor Advisories

Debian

CVE-2022-48570: libcrypto++ - Crypto++ through 8.4 contains a timing side channel in ECDSA signature generatio...↗2022

▶

💬Community

Bugzilla

CVE-2022-48570 cryptopp: timing side channel in ECDSA signature generation [epel-all]↗2023-08-29

▶