PYSEC-2018-52

See a problem?

Import Source

https://github.com/pypa/advisory-database/blob/main/vulns/cryptography/PYSEC-2018-52.yaml

JSON Data

https://api.test.osv.dev/v1/vulns/PYSEC-2018-52

Aliases

Published

2018-07-30T16:29:00Z

Modified

2023-11-01T04:48:45.841461Z

Summary

[none]

Details

A flaw was found in python-cryptography versions between >=1.9.0 and <2.3. The finalizewithtag API did not enforce a minimum tag length. If a user did not validate the input length prior to passing it to finalizewithtag an attacker could craft an invalid payload with a shortened tag (e.g. 1 byte) such that they would have a 1 in 256 chance of passing the MAC check. GCM tag forgeries can cause key leakage.

References

Affected packages

PyPI / cryptography

Package

Name: cryptography; View open source insights on deps.dev
Purl: pkg:pypi/cryptography

Affected ranges

Type: ECOSYSTEM
Events: Introduced

1.9

Fixed

2.3

Affected versions

1.*

1.9

2.*

2.0

2.0.1

2.0.2

2.0.3

2.1

2.1.1

2.1.2

2.1.3

2.1.4

2.2

2.2.1

2.2.2