Rhonabwy Project Rhonabwy vulnerabilities

CVE-2024-25714 [CRITICAL] CWE-203 CVE-2024-25714: In Rhonabwy through 1.1.13, HMAC signature verification uses a strcmp function that is vulnerable to In Rhonabwy through 1.1.13, HMAC signature verification uses a strcmp function that is vulnerable to side-channel attacks, because it stops the comparison when the first difference is spotted in the two signatures. (The fix uses gnutls_memcmp, which has constant-time execution.)

CVE-2022-38493 [HIGH] CWE-327 CVE-2022-38493: Rhonabwy 0.9.99 through 1.1.x before 1.1.7 doesn't check the RSA private key length before RSA-OAEP Rhonabwy 0.9.99 through 1.1.x before 1.1.7 doesn't check the RSA private key length before RSA-OAEP decryption. This allows attackers to cause a Denial of Service via a crafted JWE (JSON Web Encryption) token.

CVE-2022-32096 [HIGH] CWE-120 CVE-2022-32096: Rhonabwy before v1.1.5 was discovered to contain a buffer overflow via the component r_jwe_aesgcm_ke Rhonabwy before v1.1.5 was discovered to contain a buffer overflow via the component r_jwe_aesgcm_key_unwrap. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted JWE token.