CVE-2023-52323: Non Constant Time Crypto Padding Parse
Using non-constant time methods like `.find()` or `.index()` to locate a padding separator byte (e.g., `b'\x01'` or `b'\x00'`) during decryption introduces a timing side-channel. This leaks information about the plaintext structure and makes the application vulnerable to padding oracle attacks like Manger's attack. Use constant-time array parsing instead.
Provally CuratedPublic repositoryHighMedium confidenceVerifiedApache-2.0
Python
Pythongreprules fetch cve-2023-52323-non-constant-time-crypto-padding-parse --engine opengrepDescription
Using non-constant time methods like `.find()` or `.index()` to locate a padding separator byte (e.g., `b'\x01'` or `b'\x00'`) during decryption introduces a timing side-channel. This leaks information about the plaintext structure and makes the application vulnerable to padding oracle attacks like Manger's attack. Use constant-time array parsing instead.
Community feedback
0 signals from signed-in users.
- Useful
- 0
- False positive
- 0
- Metadata
- 0