HOMEVULNERABILITIESCVE-2022-4304
MEDIUM

CVE-2022-4304

CWE-203Published: February 8, 2023· Updated: Jun 17, 2026

5.9
CVSS v3.1

Official Description

A timing based side channel exists in the OpenSSL RSA Decryption implementation

which could be sufficient to recover a plaintext across a network in a

Bleichenbacher style attack. To achieve a successful decryption an attacker

would have to be able to send a very large number of trial messages for

decryption. The vulnerability affects all RSA padding modes: PKCS#1 v1.5,

RSA-OEAP and RSASVE.

For example, in a TLS connection, RSA is commonly used by a client to send an

encrypted pre-master secret to the server. An attacker that had observed a

genuine connection between a client and a server could use this flaw to send

trial messages to the server and record the time taken to process them. After a

sufficiently large number of messages the attacker could recover the pre-master

secret used for the original connection and thus be able to decrypt the

application data sent over that connection.

NVD Source

Technical Analysis

CVE-2022-4304 can be exploited remotely over the network without requiring physical or adjacent access, significantly expanding the attack surface for threat actors.

The vulnerability requires no privileges and no user interaction, making it a prime target for automated exploitation campaigns and worm-like propagation.

A successful exploit results in complete confidentiality breach (data exposure), with a CVSS base score of 5.9.

CVSS v3.1 Vector Breakdown

Exploitability
Attack VectorNetwork
Attack ComplexityHigh
Privileges Req.None
User InteractionNone
ScopeUnchanged
Impact
ConfidentialityHigh
IntegrityNone
AvailabilityNone
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Affected Vendors & Products

OpenSSL1 product(s)
openssl
stormshield3 product(s)
endpoint securitysslvpnstormshield network security
Source: NVD CPE · 4 total CPE entries

Exploit & PoC Resources

NO KNOWN EXPLOITNo public exploit confirmed at this time
External links open in a new tab. Always verify in a controlled environment before use.

Official Patches & Advisories

News & Research Mentioning CVE-2022-4304

Hitachi Energy GMS600
CISA Alerts· May 21, 2026

View CSAF Summary Hitachi Energy is aware of the vulnerability, CVE-2022-4304 in the OSS component OpenSSL, that affects the GMS600 versions that are listed below. An attacker successfully exploiting this vulnerability could send trial messages to the server and record the time taken to process them. After a sufficiently large number of messages the attacker could recover the pre-master secret used for the original connection and thus be able to decrypt the application data sent over that connection. For immediate mitigation /workaround information, please refer to the General Mitigation Factors/Workarounds The following versions of Hitachi Energy GMS600 are affected: GMS600 vers:GMS600/>=1.3.0|<=1.3.1 (CVE-2022-4304) CVSS Vendor Equipment Vulnerabil [xlite_meta score:73 src:CISA Alerts xlite_fp:739ee8570fab7a4a078470a7e732006eacb663c03884f96b7227573f8036a3e0]

All References (5)

Quick Facts

CVE IDCVE-2022-4304
CVSS Score5.9 / 10
SeverityMEDIUM
WeaknessCWE-203
CISA KEVNo
Affected2 vendor(s)
PublishedFeb 8, 2023

Related CVEs (CWE-203)

Recommended Actions

  • Apply vendor patches immediately
  • Monitor CVE-2022-4304 in threat intel feeds
  • Review IDS/IPS signatures for exploitation attempts
Data sourced from NVD (NIST), CISA KEV, and EPSS (FIRST). Analysis generated by CTIWATCH.COM. CVE data is provided under the NVD usage policy.