High severityNVD Advisory· Published Dec 27, 2022· Updated Apr 11, 2025

cocagne pysrp _ctsrp.py calculate_x information exposure

CVE-2021-4286

Description

A vulnerability, which was classified as problematic, has been found in cocagne pysrp up to 1.0.16. This issue affects the function calculate_x of the file srp/_ctsrp.py. The manipulation leads to information exposure through discrepancy. Upgrading to version 1.0.17 is able to address this issue. The name of the patch is dba52642f5e95d3da7af1780561213ee6053195f. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-216875.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

An information exposure vulnerability exists in cocagne pysrp up to version 1.0.16, allowing attackers to gain insights through timing or behavioral discrepancies in the calculate_x function.

Root

Cause

A problematic vulnerability has been identified in cocagne pysrp, a Python implementation of the Secure Remote Password (SRP) protocol, affecting versions up to 1.0.16. The issue resides in the calculate_x function of the srp/_ctsrp.py file, where manipulation leads to information exposure through a discrepancy. The exact nature of the manipulation is not specified in the available references, but it likely involves a flaw in the computation or handling of the SRP proof-of-possession value that leaks subtle behavioral differences [1].

Exploitation

Vector

An attacker positioned as either a client or server in the SRP authentication exchange could potentially exploit this vulnerability. The attack requires network access to perform the SRP protocol handshake. No specific authentication is needed prior to exploitation, as the flaw occurs during the authentication challenge itself. The discrepancy likely manifests as a timing side-channel or a distinguishable error condition that reveals information about the secret parameters [1][2].

Impact

Successful exploitation leads to information exposure, which could allow an attacker to deduce sensitive cryptographic values, such as the password verifier or the user's password, over repeated interactions. This undermines the security guarantees of the SRP protocol, which is designed for password-based mutual authentication without revealing secrets [2]. The vulnerability is classified as problematic with a CVSS vector not yet fully provided, indicating it can lead to partial disclosure of confidential information [1].

Mitigation

The vulnerability is fixed in version 1.0.17 of pysrp, with the patch identifier dba52642f5e95d3da7af1780561213ee6053195f. Users are strongly advised to upgrade to this version or later. The Python Package Index (PyPI) advisory database also records this under PYSEC-2022-43014, confirming the resolution [1][3][4].

References

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
srpPyPI	< 1.0.17	1.0.17

Affected products

cocagne/pysrpllm-create2 versions
<=1.0.16+ 1 more
- (no CPE)range: <=1.0.16
- (no CPE)range: 1.0.0
ghsa-coords
pkg:pypi/srp
Range: < 1.0.17

Patches

dba52642f5e9

Merge pull request #43 from ddealmei/fix-srp-vuln

https://github.com/cocagne/pysrpTom CocagneFeb 1, 2021via ghsa

commit

1 file changed · +6 −0

srp/_ctsrp.py+6 −0 modified

@@ -201,6 +201,9 @@ def load_func( name, args, returns = ctypes.c_int):
 load_func( 'BN_CTX_new',  []        , BN_CTX )
 load_func( 'BN_CTX_free', [ BN_CTX ], None   )
 
+load_func( 'BN_set_flags', [ BIGNUM, ctypes.c_int ], None )
+BN_FLG_CONSTTIME = 0x04
+
 load_func( 'BN_cmp',      [ BIGNUM, BIGNUM ], ctypes.c_int )
 
 load_func( 'BN_num_bits', [ BIGNUM ], ctypes.c_int )
@@ -292,6 +295,7 @@ def calculate_x( hash_class, dest, salt, username, password ):
         username = six.b('')
     up = hash_class(username + six.b(':') + password).digest()
     H_bn_str( hash_class, dest, salt, up )
+    BN_set_flags(dest, BN_FLG_CONSTTIME)
 
 
 def update_hash( ctx, n ):
@@ -430,6 +434,7 @@ def __init__(self,  username, bytes_s, bytes_v, bytes_A, hash_alg=SHA1, ng_type=
                 bytes_to_bn( self.b, bytes_b )
             else:
                 BN_rand(self.b, 256, 0, 0)
+            BN_set_flags(self.b, BN_FLG_CONSTTIME)
 
             # B = kv + g^b
             BN_mul(self.tmp1, k, self.v, self.ctx)
@@ -541,6 +546,7 @@ def __init__(self, username, password, hash_alg=SHA1, ng_type=NG_2048, n_hex=Non
         if bytes_A:
             bytes_to_bn( self.A, bytes_A )
         else:
+            BN_set_flags(self.a, BN_FLG_CONSTTIME)
             BN_mod_exp(self.A, g, self.a, N, self.ctx)

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/cocagne/pysrp/commit/dba52642f5e95d3da7af1780561213ee6053195fghsapatchWEB
github.com/cocagne/pysrp/releases/tag/1.0.17ghsapatchWEB
github.com/advisories/GHSA-xmc3-9m9j-w9x4ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2021-4286ghsaADVISORY
github.com/cocagne/pysrp/pull/43ghsaissue-trackingWEB
github.com/pypa/advisory-database/tree/main/vulns/srp/PYSEC-2022-43014.yamlghsaWEB
vuldb.comghsasignaturepermissions-requiredWEB
vuldb.comghsavdb-entrytechnical-descriptionWEB

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000