#VU88199 Observable discrepancy in python-cryptography - CVE-2023-50782


Vulnerability identifier: #VU88199

Vulnerability risk: Medium

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2023-50782

CWE-ID: CWE-203

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
python-cryptography
Universal components / Libraries / Programming Languages & Components

Vendor: Python Cryptographic Authority

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to excessive data output by the application. A remote attacker can decrypt captured messages in TLS servers that use RSA key exchanges, which may lead to exposure of confidential or sensitive data.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

python-cryptography: before 42.0.0

External links
https://access.redhat.com/security/cve/CVE-2023-50782
https://bugzilla.redhat.com/show_bug.cgi?id=2254432

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


APEX Cloud Platform for Microsoft Azure update for third-party components
Multiple vulnerabilities in Dell VxRail Appliance 7.x
Multiple vulnerabilities in Dell VxRail Appliance
Multiple vulnerabilities in IBM Netezza for Cloud Pak for Data (on Cloud)
Multiple vulnerabilities in Dell Cloud Tiering Appliance
SUSE update for openssl-3
SUSE update for openssl-1_1
SUSE update for openssl-1_1
Multiple vulnerabilities in IBM QRadar SIEM
SUSE update for openssl-1_1