Home

CVE-2018-10903

Description

A flaw was found in python-cryptography versions between >=1.9.0 and <2.3. The finalize_with_tag API did not enforce a minimum tag length. If a user did not validate the input length prior to passing it to finalize_with_tag an attacker could craft an invalid payload with a shortened tag (e.g. 1 byte) such that they would have a 1 in 256 chance of passing the MAC check. GCM tag forgeries can cause key leakage.

Risk Information

Base Score
7.5
MODERATE
Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score
Exploitation Probability
0.204

Associated Vulnerability

VulnerabilityOS Platform
Vulnerabilities CVE-2018-10903 are fixed in Python-cryptography 2.3Windows
SUSE-SU-2020:0792-1(SUSE Linux Enterprise Server 12-SP5 ) python-cffi-1.11.2-5.11.1.x86_64.rpmLinux
SUSE-SU-2020:0792-1(SUSE Linux Enterprise Server 12-SP4 ) python-cffi-1.11.2-5.11.1.x86_64_SP4.rpmLinux
SUSE-SU-2020:0792-1(SUSE Linux Enterprise Server 12-SP4 ) python-cffi-debuginfo-1.11.2-5.11.1.x86_64.rpmLinux
SUSE-SU-2020:0792-1(SUSE Linux Enterprise Server 12-SP5 ) python-cffi-debuginfo-1.11.2-5.11.1.x86_64_SP5.rpmLinux
SUSE-SU-2020:0792-1(SUSE Linux Enterprise Server 12-SP4 ) python-cffi-debugsource-1.11.2-5.11.1.x86_64.rpmLinux
SUSE-SU-2020:0792-1(SUSE Linux Enterprise Server 12-SP4 ) python-cryptography-2.1.4-7.28.2.x86_64.rpmLinux
SUSE-SU-2020:0792-1(SUSE Linux Enterprise Server 12-SP5 ) python-cffi-debugsource-1.11.2-5.11.1.x86_64_SP5.rpmLinux
SUSE-SU-2020:0792-1(SUSE Linux Enterprise Server 12-SP4 ) python-cryptography-debuginfo-2.1.4-7.28.2.x86_64.rpmLinux
SUSE-SU-2020:0792-1(SUSE Linux Enterprise Server 12-SP5 ) python-cryptography-2.1.4-7.28.2.x86_64_SP5.rpmLinux
SUSE-SU-2020:0792-1(SUSE Linux Enterprise Server 12-SP4 ) python-cryptography-debugsource-2.1.4-7.28.2.x86_64.rpmLinux
SUSE-SU-2020:0792-1(SUSE Linux Enterprise Server 12-SP5 ) python-cryptography-debuginfo-2.1.4-7.28.2.x86_64_SP5.rpmLinux
SUSE-SU-2020:0792-1(SUSE Linux Enterprise Server 12-SP4 ) python-xattr-0.7.5-6.3.2.x86_64.rpmLinux
SUSE-SU-2020:0792-1(SUSE Linux Enterprise Server 12-SP5 ) python-cryptography-debugsource-2.1.4-7.28.2.x86_64_SP5.rpmLinux
SUSE-SU-2020:0792-1(SUSE Linux Enterprise Server 12-SP4 ) python-xattr-debuginfo-0.7.5-6.3.2.x86_64.rpmLinux
SUSE-SU-2020:0792-1(SUSE Linux Enterprise Server 12-SP5 ) python-xattr-0.7.5-6.3.2.x86_64_SP5.rpmLinux
SUSE-SU-2020:0792-1(SUSE Linux Enterprise Server 12-SP4 ) python-xattr-debugsource-0.7.5-6.3.2.x86_64.rpmLinux
SUSE-SU-2020:0792-1(SUSE Linux Enterprise Server 12-SP5 ) python-xattr-debuginfo-0.7.5-6.3.2.x86_64_SP5.rpmLinux
SUSE-SU-2020:0792-1(SUSE Linux Enterprise Server 12-SP4 ) python3-cffi-1.11.2-5.11.1.x86_64.rpmLinux
SUSE-SU-2020:0792-1(SUSE Linux Enterprise Server 12-SP5 ) python-xattr-debugsource-0.7.5-6.3.2.x86_64_SP5.rpmLinux
SUSE-SU-2020:0792-1(SUSE Linux Enterprise Server 12-SP4 ) python3-cffi-debuginfo-1.11.2-5.11.1.x86_64.rpmLinux
SUSE-SU-2020:0792-1(SUSE Linux Enterprise Server 12-SP5 ) python3-cffi-1.11.2-5.11.1.x86_64_SP5.rpmLinux
SUSE-SU-2020:0792-1(SUSE Linux Enterprise Server 12-SP4 ) python3-cryptography-2.1.4-7.28.2.x86_64.rpmLinux
SUSE-SU-2020:0792-1(SUSE Linux Enterprise Server 12-SP5 ) python3-cffi-debuginfo-1.11.2-5.11.1.x86_64_SP5.rpmLinux
SUSE-SU-2020:0792-1(SUSE Linux Enterprise Server 12-SP4 ) python3-cryptography-debuginfo-2.1.4-7.28.2.x86_64.rpmLinux
SUSE-SU-2020:0792-1(SUSE Linux Enterprise Server 12-SP5 ) python3-cryptography-2.1.4-7.28.2.x86_64_SP5.rpmLinux
SUSE-SU-2020:0792-1(SUSE Linux Enterprise Server 12-SP5 ) python3-cryptography-debuginfo-2.1.4-7.28.2.x86_64_SP5.rpmLinux
SUSE-SU-2022:4044-1(SUSE Linux Enterprise Module for Basesystem 15-SP3 ) python3-cryptography-2.9.2-150200.13.1.x86_64.rpmLinux
Vulnerabilities CVE-2018-10903 are fixed in Python-cryptography for linux 2.3Linux

Patch Details

No records found

References

https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234