VulnerableCode Package Details - pkg:deb/debian/python-cryptography@0.8.2-2~bpo8%2B1

Staging Environment: Content and features may be unstable or change without notice.

Search for packages

Package details: pkg:deb/debian/python-cryptography@0.8.2-2~bpo8%2B1

Essentials
History (6)

purl	pkg:deb/debian/python-cryptography@0.8.2-2~bpo8%2B1

Next non-vulnerable version	46.0.7-1
Latest non-vulnerable version	46.0.7-1
Risk

Vulnerabilities affecting this package (6)

Vulnerability	Summary	Fixed by
VCID-8kj7-du9v-uugw Aliases: CVE-2016-9243 GHSA-q3cj-2r34-2cwc PYSEC-2017-8	HKDF in cryptography before 1.5.2 returns an empty byte-string if used with a length less than algorithm.digest_size.	1.7.1-3~bpo8+1 Affected by 5 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-hvcn-tmdz-m3ct Aliases: CVE-2018-10903 GHSA-fcf9-3qw3-gxmj PYSEC-2018-52	A flaw was found in python-cryptography versions between >=1.9.0 and <2.3. The finalize_with_tag API did not enforce a minimum tag length. If a user did not validate the input length prior to passing it to finalize_with_tag an attacker could craft an invalid payload with a shortened tag (e.g. 1 byte) such that they would have a 1 in 256 chance of passing the MAC check. GCM tag forgeries can cause key leakage.	2.6.1-3+deb10u2 Affected by 4 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-n7hx-bfnn-5kgc Aliases: CVE-2023-49083 GHSA-jfhm-5ghh-2f97 PYSEC-2023-254	cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Calling `load_pem_pkcs7_certificates` or `load_der_pkcs7_certificates` could lead to a NULL-pointer dereference and segfault. Exploitation of this vulnerability poses a serious risk of Denial of Service (DoS) for any application attempting to deserialize a PKCS7 blob/certificate. The consequences extend to potential disruptions in system availability and stability. This vulnerability has been patched in version 41.0.6.	38.0.4-3+deb12u1 Affected by 3 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-ra23-bf9w-2ugf Aliases: CVE-2020-36242 GHSA-rhm9-p9w5-fwm7 PYSEC-2021-63	In the cryptography package before 3.3.2 for Python, certain sequences of update calls to symmetrically encrypt multi-GB values could result in an integer overflow and buffer overflow, as demonstrated by the Fernet class.	3.3.2-1 Affected by 5 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-u2xn-x2tc-jbd6 Aliases: CVE-2023-23931 GHSA-w7pp-m8wf-vj6r PYSEC-2023-11	cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. In affected versions `Cipher.update_into` would accept Python objects which implement the buffer protocol, but provide only immutable buffers. This would allow immutable objects (such as `bytes`) to be mutated, thus violating fundamental rules of Python and resulting in corrupted output. This now correctly raises an exception. This issue has been present since `update_into` was originally introduced in cryptography 1.8.	38.0.4-3+deb12u1 Affected by 3 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-v56n-dpyv-rug7 Aliases: CVE-2020-25659 GHSA-hggm-jpg3-v476 PYSEC-2021-62	python-cryptography 3.2 is vulnerable to Bleichenbacher timing attacks in the RSA decryption API, via timed processing of valid PKCS#1 v1.5 ciphertext.	3.3.2-1 Affected by 5 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}

Vulnerabilities fixed by this package (0)

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-06T10:35:36.411938+00:00	Debian Oval Importer	Affected by	VCID-n7hx-bfnn-5kgc	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	38.6.0
2026-06-06T09:22:40.715547+00:00	Debian Oval Importer	Affected by	VCID-u2xn-x2tc-jbd6	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	38.6.0
2026-06-06T02:58:59.064858+00:00	Debian Oval Importer	Affected by	VCID-hvcn-tmdz-m3ct	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	38.6.0
2026-06-06T02:08:59.781614+00:00	Debian Oval Importer	Affected by	VCID-v56n-dpyv-rug7	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	38.6.0
2026-06-06T01:18:04.810350+00:00	Debian Oval Importer	Affected by	VCID-8kj7-du9v-uugw	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	38.6.0
2026-06-06T01:17:37.172554+00:00	Debian Oval Importer	Affected by	VCID-ra23-bf9w-2ugf	https://www.debian.org/security/oval/oval-definitions-bullseye.xml.bz2	38.6.0