Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2023-50782

Опубликовано: 13 дек. 2023
Источник: redhat
CVSS3: 7.5
EPSS Низкий

Описание

A flaw was found in the python-cryptography package. This issue may allow a remote attacker to decrypt captured messages in TLS servers that use RSA key exchanges, which may lead to exposure of confidential or sensitive data.

Отчет

This vulnerability exists due to an incomplete fix for CVE-2020-25659. The CVE-2020-25659 vulnerability presents a moderate severity concern due to its specific impact on applications utilizing RSA decryption with PKCS#1 v1.5 padding. While the vulnerability could potentially lead to leakage in RSA decryption operations, its severity is downgraded to moderate by several factors. Firstly, the exploitability of the vulnerability is limited to scenarios where RSA decryption with PKCS#1 v1.5 padding is employed, narrowing the scope of affected systems. Additionally, the implementation of implicit rejection, such as the Marvin workaround, provides a viable mitigation strategy. https://people.redhat.com/~hkario/marvin/

Меры по смягчению последствий

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat Ansible Automation Platform 2python-cryptographyNot affected
Red Hat Enterprise Linux 7python-cryptographyOut of support scope
Red Hat Enterprise Linux 8python39:3.9/python-cryptographyAffected
Red Hat Enterprise Linux 8python-cryptographyAffected
Red Hat Enterprise Linux 9python-cryptographyAffected
Red Hat Satellite 6python-cryptographyNot affected
Red Hat Update Infrastructure 4 for Cloud Providerspython-cryptographyAffected

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate
Дефект:
CWE-327->CWE-385->CWE-208
https://bugzilla.redhat.com/show_bug.cgi?id=2254432python-cryptography: Bleichenbacher timing oracle attack against RSA decryption - incomplete fix for CVE-2020-25659

EPSS

Процентиль: 66%
0.00521
Низкий

7.5 High

CVSS3

Связанные уязвимости

ubuntu логотип

CVE-2023-50782

CVSS3: 7.5
ubuntu
больше 1 года назад

A flaw was found in the python-cryptography package. This issue may allow a remote attacker to decrypt captured messages in TLS servers that use RSA key exchanges, which may lead to exposure of confidential or sensitive data.

nvd логотип

CVE-2023-50782

CVSS3: 7.5
nvd
больше 1 года назад

A flaw was found in the python-cryptography package. This issue may allow a remote attacker to decrypt captured messages in TLS servers that use RSA key exchanges, which may lead to exposure of confidential or sensitive data.

msrc логотип

CVE-2023-50782

CVSS3: 7.5
msrc
12 месяцев назад

Описание отсутствует

debian логотип

CVE-2023-50782

CVSS3: 7.5
debian
больше 1 года назад

A flaw was found in the python-cryptography package. This issue may al ...

suse-cvrf логотип

SUSE-SU-2024:3943-1

suse-cvrf
8 месяцев назад

Security update for openssl-3

EPSS

Процентиль: 66%
0.00521
Низкий

7.5 High

CVSS3

Уязвимость CVE-2023-50782