Search for packages
| purl | pkg:pypi/cryptography@0.5.2 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-4j5v-k162-tfgd
Aliases: GHSA-5cpq-8wj7-hf2v GMS-2023-1778 |
Vulnerable OpenSSL included in cryptography wheels pyca/cryptography's wheels include a statically linked copy of OpenSSL. The versions of OpenSSL included in cryptography 0.5-40.0.2 is vulnerable to a security issue. More details about the vulnerability itself can be found in https://www.openssl.org/news/secadv/20230530.txt. If you are building cryptography source ("sdist") then you are responsible for upgrading your copy of OpenSSL. Only users installing from wheels built by the cryptography project (i.e., those distributed on PyPI) need to update their cryptography versions. |
Affected by 9 other vulnerabilities. |
|
VCID-f44c-ygbw-bufn
Aliases: CVE-2026-26007 GHSA-r6ph-v2qm-q3c2 |
cryptography Vulnerable to a Subgroup Attack Due to Missing Subgroup Validation for SECT Curves ## Vulnerability Summary The `public_key_from_numbers` (or `EllipticCurvePublicNumbers.public_key()`), `EllipticCurvePublicNumbers.public_key()`, `load_der_public_key()` and `load_pem_public_key()` functions do not verify that the point belongs to the expected prime-order subgroup of the curve. This missing validation allows an attacker to provide a public key point `P` from a small-order subgroup. This can lead to security issues in various situations, such as the most commonly used signature verification (ECDSA) and shared key negotiation (ECDH). When the victim computes the shared secret as `S = [victim_private_key]P` via ECDH, this leaks information about `victim_private_key mod (small_subgroup_order)`. For curves with cofactor > 1, this reveals the least significant bits of the private key. When these weak public keys are used in ECDSA , it's easy to forge signatures on the small subgroup. Only SECT curves are impacted by this. ## Credit This vulnerability was discovered by: - XlabAI Team of Tencent Xuanwu Lab - Atuin Automated Vulnerability Discovery Engine |
Affected by 0 other vulnerabilities. |
|
VCID-hpev-apm4-sqfw
Aliases: CVE-2024-0727 GHSA-9v9h-cgj8-h64p |
Null pointer dereference in PKCS12 parsing Issue summary: Processing a maliciously formatted PKCS12 file may lead OpenSSL to crash leading to a potential Denial of Service attack Impact summary: Applications loading files in the PKCS12 format from untrusted sources might terminate abruptly. A file in PKCS12 format can contain certificates and keys and may come from an untrusted source. The PKCS12 specification allows certain fields to be NULL, but OpenSSL does not correctly check for this case. This can lead to a NULL pointer dereference that results in OpenSSL crashing. If an application processes PKCS12 files from an untrusted source using the OpenSSL APIs then that application will be vulnerable to this issue. OpenSSL APIs that are vulnerable to this are: PKCS12_parse(), PKCS12_unpack_p7data(), PKCS12_unpack_p7encdata(), PKCS12_unpack_authsafes() and PKCS12_newpass(). We have also fixed a similar issue in SMIME_write_PKCS7(). However since this function is related to writing data we do not consider it security significant. The FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue. |
Affected by 4 other vulnerabilities. |
|
VCID-vmx8-tjg2-uuec
Aliases: CVE-2020-25659 GHSA-hggm-jpg3-v476 PYSEC-2021-62 |
python-cryptography 3.2 is vulnerable to Bleichenbacher timing attacks in the RSA decryption API, via timed processing of valid PKCS#1 v1.5 ciphertext. |
Affected by 11 other vulnerabilities. Affected by 10 other vulnerabilities. |
|
VCID-x7vf-dyab-qbhq
Aliases: CVE-2023-50782 GHSA-3ww4-gg4f-jr7f |
Python Cryptography package vulnerable to Bleichenbacher timing oracle attack A flaw was found in the python-cryptography package. This issue may allow a remote attacker to decrypt captured messages in TLS servers that use RSA key exchanges, which may lead to exposure of confidential or sensitive data. |
Affected by 5 other vulnerabilities. |
|
VCID-zvkn-n581-xqf3
Aliases: CVE-2016-9243 GHSA-q3cj-2r34-2cwc PYSEC-2017-8 |
HKDF in cryptography before 1.5.2 returns an empty byte-string if used with a length less than algorithm.digest_size. |
Affected by 7 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||