CVE-2024-25714 Information

Description

In Rhonabwy through 1.1.13 HMAC signature verification uses a strcmp function that is vulnerable to side-channel attacks because it stops the comparison when the first difference is spotted in the two signatures. (The fix uses gnutls_memcmp which has constant-time execution.)

Reference

https://github.com/babelouest/rhonabwy/commit/f9fd9a1c77e48b514ebb3baf0360f87eef3d846e