logo

Database

Lack of data validation In cryptography

Description

Improper input validation in cryptography HKDF in cryptography before 1.5.3 returns an empty byte-string if used with a length less than algorithm.digest_size.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2016-92432. NVD-2016-92433. OSV-2016-92434. OSV-DEBIAN-2016-92435. GHSA-q3cj-2r34-2cwc6. GCVE-2016-92437. SECURITY-TRACKER-CVE-2016-9243

References

1. https://github.com/pyca/cryptography/issues/32112. https://github.com/pyca/cryptography/commit/b924696b2e8731f39696584d12cceeb3aeb2d8743. https://cryptography.io/en/latest/changelog4. https://cryptography.io/en/latest/changelog/#v1-5-35. https://github.com/pypa/advisory-database/tree/main/vulns/cryptography/PYSEC-2017-8.yaml6. https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5R2ZOBMPWDFFHUZ6QOZZY36A6H5CGJXL7. https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/U23KDR2M2N7W2ZSREG63BVW7D4VC6CIZ8. https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WQ5G7KHKZC4SI23JE7277KZXM57GEQKT9. https://lists.fedoraproject.org/archives/list/[email protected]/message/5R2ZOBMPWDFFHUZ6QOZZY36A6H5CGJXL10. https://lists.fedoraproject.org/archives/list/[email protected]/message/U23KDR2M2N7W2ZSREG63BVW7D4VC6CIZ11. https://lists.fedoraproject.org/archives/list/[email protected]/message/WQ5G7KHKZC4SI23JE7277KZXM57GEQKT12. http://www.openwall.com/lists/oss-security/2016/11/09/213. http://www.securityfocus.com/bid/9421614. http://www.ubuntu.com/usn/USN-3138-1

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.