Miggo Logo
Miggo Vulnerability Database
CVE-2014-125055

CVE-2014-125055: easy-scrypt Observable Timing Discrepancy vulnerability

5.3

CVSS Score
3.1

Basic Information

CVE ID
CVE-2014-125055
GHSA ID
GHSA-r894-5r7v-7rx3
EPSS Score
0.23179%
CWE
CWE-208
Published
1/7/2023
Updated
10/20/2023
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
github.com/agnivade/easy-scryptgo< 1.0.01.0.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability explicitly references the VerifyPassphrase function in scrypt.go. The patch replaces bytes.Equal with crypto/subtle.ConstantTimeCompare, a well-known mitigation for timing attacks. The CWE-208 (Observable Timing Discrepancy) directly maps to the use of non-constant-time comparison functions for security-critical operations like password verification.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* vuln*r**ility, w*i** w*s *l*ssi*i** *s pro*l*m*ti*, w*s *oun* in **niv*** **sy-s*rypt. *****t** is t** *un*tion `V*ri*yP*ssp*r*s*` o* t** *il* `s*rypt.*o`. T** m*nipul*tion l***s to o*s*rv**l* timin* *is*r*p*n*y. Up*r**in* to v*rsion *.*.* **n ***r

Reasoning

T** vuln*r**ility *xpli*itly r***r*n**s t** `V*ri*yP*ssp*r*s*` *un*tion in `s*rypt.*o`. T** p*t** r*pl***s `*yt*s.*qu*l` wit* `*rypto/su*tl*.*onst*ntTim**omp*r*`, * w*ll-known miti**tion *or timin* *tt**ks. T** *W*-*** (O*s*rv**l* Timin* *is*r*p*n*y)