CVSS: 7.8EPSS: 0%CPEs: 5EXPL: 0CVE-2023-50782 – Python-cryptography: bleichenbacher timing oracle attack against rsa decryption - incomplete fix for cve-2020-25659
https://notcve.org/view.php?id=CVE-2023-50782
05 Feb 2024 — A flaw was found in the python-cryptography package. This issue may allow a remote attacker to decrypt captured messages in TLS servers that use RSA key exchanges, which may lead to exposure of confidential or sensitive data. Se encontró una falla en el paquete python-cryptography. Este problema puede permitir que un atacante remoto descifre mensajes capturados en servidores TLS que utilizan intercambios de claves RSA, lo que puede provocar la exposición de datos confidenciales o sensibles. Hubert Kario dis... • https://access.redhat.com/security/cve/CVE-2023-50782 • CWE-203: Observable Discrepancy CWE-208: Observable Timing Discrepancy •
CVSS: 5.9EPSS: 0%CPEs: 2EXPL: 0CVE-2020-25659 – python-cryptography: Bleichenbacher timing oracle attack against RSA decryption
https://notcve.org/view.php?id=CVE-2020-25659
03 Nov 2020 — python-cryptography 3.2 is vulnerable to Bleichenbacher timing attacks in the RSA decryption API, via timed processing of valid PKCS#1 v1.5 ciphertext. python-cryptography versión 3.2, es vulnerable a ataques de sincronización de Bleichenbacher en la API de descifrado RSA, por medio del procesamiento cronometrado de texto cifrado PKCS#1 v1.5 válido A flaw was found in python-cryptography, where it is vulnerable to Bleichenbacher timing attacks. This flaw allows an attacker, via the RSA decryption API, to de... • https://github.com/pyca/cryptography/pull/5507/commits/ce1bef6f1ee06ac497ca0c837fbd1c7ef6c2472b • CWE-385: Covert Timing Channel •
CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 0CVE-2018-10903 – python-cryptography: GCM tag forgery via truncated tag in finalize_with_tag API
https://notcve.org/view.php?id=CVE-2018-10903
23 Jul 2018 — A flaw was found in python-cryptography versions between >=1.9.0 and <2.3. The finalize_with_tag API did not enforce a minimum tag length. If a user did not validate the input length prior to passing it to finalize_with_tag an attacker could craft an invalid payload with a shortened tag (e.g. 1 byte) such that they would have a 1 in 256 chance of passing the MAC check. GCM tag forgeries can cause key leakage. Se ha encontrado un error en python-cryptography, desde la versión 1.9.0 hasta la 2.3. • https://access.redhat.com/errata/RHSA-2018:3600 • CWE-20: Improper Input Validation •