Observable discrepancy in python-cryptography

#VU88199 Observable discrepancy in python-cryptography

Published: 2024-04-08

Vulnerability identifier: #VU88199

Vulnerability risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-50782

CWE-ID: CWE-203

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
python-cryptography
Universal components / Libraries / Programming Languages & Components

Vendor:

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to excessive data output by the application. A remote attacker can decrypt captured messages in TLS servers that use RSA key exchanges, which may lead to exposure of confidential or sensitive data.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

External links
http://access.redhat.com/security/cve/CVE-2023-50782
http://bugzilla.redhat.com/show_bug.cgi?id=2254432

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in IBM SOAR QRadar Plugin App

Observable discrepancy in IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data

Multiple vulnerabilities in IBM QRadar Suite Software

Observable discrepancy in IBM Process Mining

Multiple vulnerabilities in IBM Storage Protect Plus File Systems Agent

Multiple vulnerabilities in IBM Storage Defender - Resiliency Service

Ubuntu update for python-cryptography