Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2024-13939

String::Compare::ConstantTime for Perl through 0.321 is vulnerable to timing attacks that allow an attacker to guess the length of a secret string. As stated in the documentation: "If the lengths of the strings are different, because equals returns false right away the size of the secret string may be leaked (but not its contents)." This is similar to CVE-2020-36829

Published

2025-03-28T03:15:15.720

Last Modified

2025-04-11T18:10:56.160

Status

Analyzed

Source

9b29abf9-4ab0-4765-b253-1875cd9b441e

Severity

CVSSv3.1: 7.5 (HIGH)

Weaknesses

Type: Secondary
CWE-208
Type: Primary
CWE-203

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	fractal	string\	≤ 0.321	Yes

References

https://metacpan.org/release/FRACTAL/String-Compare-ConstantTime-0.321/view/lib/String/Compare/ConstantTime.pm#TIMING-SIDE-CHANNEL Technical Description (9b29abf9-4ab0-4765-b253-1875cd9b441e)