#VU15945 Information disclosure in python-cryptography - CVE-2018-10903

Cybersecurity Help s.r.o.

Published: 2018-11-16 | Updated: 2018-11-19

Vulnerability identifier: #VU15945

Vulnerability risk: Low

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2018-10903

CWE-ID: CWE-200

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
python-cryptography
Universal components / Libraries / Programming Languages & Components

Vendor: Python Cryptographic Authority

Description

The vulnerability allows a remote attacker to obtain potentially sensitive information.

The vulnerability exists due to due to insufficient enforcement of a minimum tag length prior to passing user-supplied input to the finalize_with_tag API. A remote attacker can send a specially crafted request that submits a malicious short tag length, trigger key leakage and access sensitive information.

Mitigation
Update to version 2.3.

Vulnerable software versions

python-cryptography: 1.9 - 2.2.2

External links
https://github.com/pyca/cryptography/pull/4342/commits/688e0f673bfbf43fa898994326c6877f00ab19ef

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in Dell PowerStore Family

Multiple vulnerabilities in Dell EMC VxRail Appliance

SUSE update for python-cryptography, python-cryptography-vectors

Red Hat update for python-cryptography

OpenSUSE Linux update for python-cryptography

Information disclosure in python-cryptography