GHSA-fcf9-3qw3-gxmj
Suggest an improvement- Source
- https://github.com/advisories/GHSA-fcf9-3qw3-gxmj
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/07/GHSA-fcf9-3qw3-gxmj/GHSA-fcf9-3qw3-gxmj.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-fcf9-3qw3-gxmj
- Aliases
- Published
- 2018-07-31T18:28:09Z
- Modified
- 2024-09-13T18:24:32.976877Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
- 8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- PyCA Cryptography vulnerable to GCM tag forgery
- Details
-
A flaw was found in python-cryptography versions between >=1.9.0 and <2.3. The finalizewithtag API did not enforce a minimum tag length. If a user did not validate the input length prior to passing it to finalizewithtag an attacker could craft an invalid payload with a shortened tag (e.g. 1 byte) such that they would have a 1 in 256 chance of passing the MAC check. GCM tag forgeries can cause key leakage.
- Database specific
{ "nvd_published_at": null, "cwe_ids": [ "CWE-20" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2020-06-16T21:34:18Z" }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2018-10903
- https://github.com/pyca/cryptography/pull/4342
- https://github.com/pyca/cryptography/commit/d4378e42937b56f473ddade2667f919ce32208cb
- https://access.redhat.com/errata/RHSA-2018:3600
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10903
- https://github.com/advisories/GHSA-fcf9-3qw3-gxmj
- https://github.com/pyca/cryptography
- https://github.com/pypa/advisory-database/tree/main/vulns/cryptography/PYSEC-2018-52.yaml
- https://usn.ubuntu.com/3720-1
Affected packages
PyPI / cryptography
Package
- Name
- cryptography
- View open source insights on deps.dev
- Purl
- pkg:pypi/cryptography