Lookup for vulnerable packages by Package URL.
| Purl | pkg:pypi/cryptography@2.2 |
|---|
| Type | pypi |
|---|
| Namespace | |
|---|
| Name | cryptography |
|---|
| Version | 2.2 |
|---|
| Qualifiers |
|
|---|
| Subpath | |
|---|
| Is_vulnerable | true |
|---|
| Next_non_vulnerable_version | 46.0.7 |
|---|
| Latest_non_vulnerable_version | 46.0.7 |
|---|
| Affected_by_vulnerabilities |
| 0 |
| url |
VCID-hvcn-tmdz-m3ct |
| vulnerability_id |
VCID-hvcn-tmdz-m3ct |
| summary |
A flaw was found in python-cryptography versions between >=1.9.0 and <2.3. The finalize_with_tag API did not enforce a minimum tag length. If a user did not validate the input length prior to passing it to finalize_with_tag an attacker could craft an invalid payload with a shortened tag (e.g. 1 byte) such that they would have a 1 in 256 chance of passing the MAC check. GCM tag forgeries can cause key leakage. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2018-10903, GHSA-fcf9-3qw3-gxmj, PYSEC-2018-52
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-hvcn-tmdz-m3ct |
|
| 1 |
| url |
VCID-jksg-v3x3-z3d3 |
| vulnerability_id |
VCID-jksg-v3x3-z3d3 |
| summary |
cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Prior to version 46.0.6, DNS name constraints were only validated against SANs within child certificates, and not the "peer name" presented during each validation. Consequently, cryptography would allow a peer named bar.example.com to validate against a wildcard leaf certificate for *.example.com, even if the leaf's parent certificate (or upwards) contained an excluded subtree constraint for bar.example.com. This issue has been patched in version 46.0.6. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2026-34073, GHSA-m959-cc7f-wv43, PYSEC-2026-35
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-jksg-v3x3-z3d3 |
|
| 2 |
| url |
VCID-u2xn-x2tc-jbd6 |
| vulnerability_id |
VCID-u2xn-x2tc-jbd6 |
| summary |
cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. In affected versions `Cipher.update_into` would accept Python objects which implement the buffer protocol, but provide only immutable buffers. This would allow immutable objects (such as `bytes`) to be mutated, thus violating fundamental rules of Python and resulting in corrupted output. This now correctly raises an exception. This issue has been present since `update_into` was originally introduced in cryptography 1.8. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2023-23931, GHSA-w7pp-m8wf-vj6r, PYSEC-2023-11
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-u2xn-x2tc-jbd6 |
|
| 3 |
| url |
VCID-v56n-dpyv-rug7 |
| vulnerability_id |
VCID-v56n-dpyv-rug7 |
| summary |
python-cryptography 3.2 is vulnerable to Bleichenbacher timing attacks in the RSA decryption API, via timed processing of valid PKCS#1 v1.5 ciphertext. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2020-25659, GHSA-hggm-jpg3-v476, PYSEC-2021-62
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-v56n-dpyv-rug7 |
|
|
|---|
| Fixing_vulnerabilities |
|
|---|
| Risk_score | null |
|---|
| Resource_url | http://public2.vulnerablecode.io/packages/pkg:pypi/cryptography@2.2 |
|---|