CVSS: 7.5EPSS: 0%CPEs: 5EXPL: 0CVE-2023-50782 – Python-cryptography: bleichenbacher timing oracle attack against rsa decryption - incomplete fix for cve-2020-25659
https://notcve.org/view.php?id=CVE-2023-50782
A flaw was found in the python-cryptography package. This issue may allow a remote attacker to decrypt captured messages in TLS servers that use RSA key exchanges, which may lead to exposure of confidential or sensitive data. Se encontró una falla en el paquete python-cryptography. Este problema puede permitir que un atacante remoto descifre mensajes capturados en servidores TLS que utilizan intercambios de claves RSA, lo que puede provocar la exposición de datos confidenciales o sensibles. • https://access.redhat.com/security/cve/CVE-2023-50782 https://bugzilla.redhat.com/show_bug.cgi?id=2254432 • CWE-203: Observable Discrepancy CWE-208: Observable Timing Discrepancy •
CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 0CVE-2018-10903 – python-cryptography: GCM tag forgery via truncated tag in finalize_with_tag API
https://notcve.org/view.php?id=CVE-2018-10903
A flaw was found in python-cryptography versions between >=1.9.0 and <2.3. The finalize_with_tag API did not enforce a minimum tag length. If a user did not validate the input length prior to passing it to finalize_with_tag an attacker could craft an invalid payload with a shortened tag (e.g. 1 byte) such that they would have a 1 in 256 chance of passing the MAC check. GCM tag forgeries can cause key leakage. Se ha encontrado un error en python-cryptography, desde la versión 1.9.0 hasta la 2.3. • https://access.redhat.com/errata/RHSA-2018:3600 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10903 https://github.com/pyca/cryptography/pull/4342/commits/688e0f673bfbf43fa898994326c6877f00ab19ef https://usn.ubuntu.com/3720-1 https://access.redhat.com/security/cve/CVE-2018-10903 https://bugzilla.redhat.com/show_bug.cgi?id=1602931 • CWE-20: Improper Input Validation •