CVE-2018-10903

Опубликовано: 18 июл. 2018

Источник: redhat

CVSS3: 7.5

Описание

A flaw was found in python-cryptography versions between >=1.9.0 and <2.3. The finalize_with_tag API did not enforce a minimum tag length. If a user did not validate the input length prior to passing it to finalize_with_tag an attacker could craft an invalid payload with a shortened tag (e.g. 1 byte) such that they would have a 1 in 256 chance of passing the MAC check. GCM tag forgeries can cause key leakage.

Затронутые пакеты

Платформа	Пакет	Состояние	Рекомендация	Релиз
Red Hat Enterprise Linux 7	python-cryptography	Not affected
Red Hat Enterprise Linux 8	python-cryptography	Not affected
Red Hat Enterprise Linux OpenStack Platform 7 (Kilo)	python-cryptography	Not affected
Red Hat OpenStack Platform 14 (Rocky)	python-cryptography	Affected
Red Hat OpenStack Platform 8 (Liberty)	python-cryptography	Not affected
Red Hat OpenStack Platform 9 (Mitaka)	python-cryptography	Not affected
Red Hat Virtualization 4	python-cryptography	Not affected
Red Hat OpenStack Platform 13.0 (Queens)	python-cryptography	Fixed	RHSA-2018:3600	13.11.2018

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate

Дефект:

CWE-20

https://bugzilla.redhat.com/show_bug.cgi?id=1602931python-cryptography: GCM tag forgery via truncated tag in finalize_with_tag API

7.5 High

CVSS3

Связанные уязвимости

CVE-2018-10903

CVSS3: 7.5

ubuntu

больше 7 лет назад

CVE-2018-10903

CVSS3: 7.5

nvd

больше 7 лет назад

CVE-2018-10903

CVSS3: 7.5

debian

больше 7 лет назад

A flaw was found in python-cryptography versions between >=1.9.0 and < ...

openSUSE-SU-2018:3445-1

suse-cvrf

больше 7 лет назад

Security update for python-cryptography

SUSE-SU-2022:4044-1

suse-cvrf

около 3 лет назад

Security update for python-cryptography, python-cryptography-vectors

7.5 High

CVSS3