NVD

Vulnerability Change Records for CVE-2024-37305

Action	Type	New Value
Added	CVSS V3.1	GitHub, Inc. AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H
Added	CWE	GitHub, Inc. CWE-120
Added	CWE	GitHub, Inc. CWE-130
Added	CWE	GitHub, Inc. CWE-190
Added	CWE	GitHub, Inc. CWE-680
Added	CWE	GitHub, Inc. CWE-805
Added	Description	oqs-provider is a provider for the OpenSSL 3 cryptography library that adds support for post-quantum cryptography in TLS, X.509, and S/MIME using post-quantum algorithms from liboqs. Flaws have been identified in the way oqs-provider handles lengths decoded with DECODE_UINT32 at the start of serialized hybrid (traditional + post-quantum) keys and signatures. Unchecked length values are later used for memory reads and writes; malformed input can lead to crashes or information leakage. Handling of plain/non-hybrid PQ key operation is not affected. This issue has been patched in in v0.6.1. All users are advised to upgrade. There are no workarounds for this issue.
Added	Reference	GitHub, Inc. https://github.com/open-quantum-safe/oqs-provider/pull/416 [No types assigned]
Added	Reference	GitHub, Inc. https://github.com/open-quantum-safe/oqs-provider/security/advisories/GHSA-pqvr-5cr8-v6fx [No types assigned]