cryptography@0.5.3 vulnerabilities
cryptography is a package which provides cryptographic recipes and primitives to Python developers.
-
latest version
44.0.0
-
latest non vulnerable version
-
first published
11 years ago
-
latest version published
a day ago
-
licenses detected
- [0.1,37.0.0)
Direct Vulnerabilities
Known vulnerabilities in the cryptography package. This does not include vulnerabilities belonging to this package’s dependencies.
Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.Vulnerability | Vulnerable Version |
---|---|
Affected versions of this package are vulnerable to Uncontrolled Resource Consumption due to improper user input validation in the Note: OpenSSL does not call these functions on untrusted DSA keys, so only applications that directly call these functions may be vulnerable. Also vulnerable are the OpenSSL How to fix Uncontrolled Resource Consumption? Upgrade |
[0,42.0.8)
|
Affected versions of this package are vulnerable to NULL Pointer Dereference when processing a maliciously formatted PKCS12 file. The vulnerability exists due to improper handling of optional How to fix NULL Pointer Dereference? Upgrade |
[,42.0.2)
|
Affected versions of this package are vulnerable to Observable Timing Discrepancy. This issue may allow a remote attacker to decrypt captured messages in TLS servers that use RSA key exchanges, which may lead to exposure of confidential or sensitive data (Marvin). Note: This vulnerability exists due to an incomplete fix for CVE-2020-25659. How to fix Observable Timing Discrepancy? Upgrade |
[,42.0.0)
|
Affected versions of this package are vulnerable to Denial of Service (DoS) when the Note: This is only exploitable if the application uses these functions to generate or check an X9.42 DH key or parameters. Also, the OpenSSL How to fix Denial of Service (DoS)? Upgrade |
[,42.0.0)
|
Affected versions of this package are vulnerable to Missing Cryptographic Step when the Both truncations and overruns of the key and the IV will produce incorrect results and could, in some cases, trigger a memory exception. How to fix Missing Cryptographic Step? Upgrade |
[,41.0.5)
|
Affected versions of this package are vulnerable to Improper Certificate Validation in the SSH certificate decoding process. An attacker can cause the application to accept unauthorized SSH certificates generated by Note: This is only exploitable if the attacker controls the SSH certificate generation process or can introduce crafted SSH certificates into the system. How to fix Improper Certificate Validation? Upgrade |
[,41.0.2)
|
Affected versions of this package are vulnerable to Denial of Service (DoS) when processing specially crafted ASN.1 objects identifiers.
Applications that use How to fix Denial of Service (DoS)? Upgrade |
[,41.0.0)
|
Affected versions of this package are vulnerable to Denial of Service (DoS) due to a null pointer dereference in when signatures are being verified on PKCS7 signed or signedAndEnveloped data in NOTE: The TLS implementation in OpenSSL does not call these functions. How to fix Denial of Service (DoS)? Upgrade |
[,39.0.1)
|
Affected versions of this package are vulnerable to Denial of Service (DoS) due to a null dereference when validating DSA public keys in the NOTE: The TLS implementation in OpenSSL does not call this function. How to fix Denial of Service (DoS)? Upgrade |
[,39.0.1)
|
Affected versions of this package are vulnerable to Use After Free in the How to fix Use After Free? Upgrade |
[,39.0.1)
|
Affected versions of this package are vulnerable to Access of Resource Using Incompatible Type ('Type Confusion') in How to fix Access of Resource Using Incompatible Type ('Type Confusion')? Upgrade |
[,39.0.1)
|
Affected versions of this package are vulnerable to Timing Attack in How to fix Timing Attack? Upgrade |
[,39.0.1)
|
Affected versions of this package are vulnerable to Denial of Service (DoS) due to an invalid pointer dereference in the NOTE: The TLS implementation in OpenSSL does not call these functions. How to fix Denial of Service (DoS)? Upgrade |
[,39.0.1)
|
Affected versions of this package are vulnerable to Denial of Service (DoS) due to a read buffer overflow in certificate name constraint checking in How to fix Denial of Service (DoS)? Upgrade |
[,39.0.1)
|
Affected versions of this package are vulnerable to Denial of Service (DoS) due to a double free after calling the How to fix Denial of Service (DoS)? Upgrade |
[,39.0.1)
|
Affected versions of this package are vulnerable to Denial of Service (DoS). If an X.509 certificate contains a malformed policy constraint and policy processing is enabled, then a write lock will be taken twice recursively. On some operating systems (most widely: Windows), this results in a denial of service when the affected process hangs. NOTE: Policy processing being enabled on a publicly-facing server is not considered to be a common setup. How to fix Denial of Service (DoS)? Upgrade |
[0,39.0.1)
|
Affected versions of this package are vulnerable to Timing Attack. It is vulnerable to Bleichenbacher timing attacks in the RSA decryption API, via timed processing of valid PKCS#1 v1.5 ciphertext (Marvin). Notes:
How to fix Timing Attack? Upgrade |
[,3.2)
|
Affected versions of The OpenSSL backend beffore 1.0.2 made use of assertions to check response where the tests could not trigger a failure. If a user ran Python with this -O flag and got an invalid response code this could lead to a crash. How to fix Denial of Service (DoS)? Upgrade |
[,1.0.2)
|
Affected versions of Double free vulnerability in the dsa_priv_decode function in crypto/dsa/dsa_ameth.c in OpenSSL 1.0.1 before 1.0.1s and 1.0.2 before 1.0.2g allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via a malformed DSA private key. (related to CVE-2016-0705) How to fix Denial of Service (DoS)? Upgrade |
[,0.9.1)
|
Affected versions of this package are vulnerable to Use of a Risky Cryptographic Algorithm. HKDF in cryptography before 1.5.2 returns an empty byte-string if used with a length less than |
[,1.5.2)
|
Affected versions of this package are vulnerable to TLS Truncation. A malicious user can prevent a user from fetching the parts of a message by inserting TCP code into a message indicating the message has completed. |
[,1.1)
|