CVE-2023-52323: 
Python vulnerability analysis and mitigation

PyCryptodome and pycryptodomex before version 3.19.1 contain a vulnerability that allows side-channel leakage during OAEP decryption operations, which could be exploited through a Manger attack (CVE-2023-52323). The vulnerability was discovered in December 2023 and affects all versions of the libraries prior to 3.19.1 (NVD, Debian).

The vulnerability is related to a timing side-channel in the OAEP (Optimal Asymmetric Encryption Padding) decryption process. This side-channel leakage makes the implementation susceptible to Manger attacks, which can potentially lead to the recovery of encrypted data. The vulnerability has been assigned a CVSS v3.1 base score of 5.9 (MEDIUM) with vector CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N, indicating that it requires network access and high attack complexity, but no privileges or user interaction (NVD).

The vulnerability could allow attackers to exploit timing differences in OAEP decryption operations to potentially recover encrypted data. This impacts the confidentiality of information protected by the affected cryptographic implementations (NVD).

The vulnerability has been fixed in PyCryptodome and pycryptodomex version 3.19.1. Users should upgrade to this version or later to address the security issue. The fix was implemented with the help of Hubert Kario (PyCrypto Changelog).