Improper Input Validation Affecting python-cryptography package, versions <2.3-1


0.0
high

Snyk CVSS

    Attack Complexity Low
    Confidentiality High

    Threat Intelligence

    EPSS 0.18% (55th percentile)
Expand this section
NVD
7.5 high
Expand this section
SUSE
5.3 medium
Expand this section
Red Hat
7.5 high

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-DEBIAN13-PYTHONCRYPTOGRAPHY-5693502
  • published 22 Jul 2018
  • disclosed 30 Jul 2018

How to fix?

Upgrade Debian:13 python-cryptography to version 2.3-1 or higher.

NVD Description

Note: Versions mentioned in the description apply only to the upstream python-cryptography package and not the python-cryptography package as distributed by Debian. See How to fix? for Debian:13 relevant fixed versions and status.

A flaw was found in python-cryptography versions between >=1.9.0 and <2.3. The finalize_with_tag API did not enforce a minimum tag length. If a user did not validate the input length prior to passing it to finalize_with_tag an attacker could craft an invalid payload with a shortened tag (e.g. 1 byte) such that they would have a 1 in 256 chance of passing the MAC check. GCM tag forgeries can cause key leakage.