Vonage/vonage-python-code-snippets

pycrypto-2.6.1.tar.gz: 2 vulnerabilities (highest severity is: 9.8)

mend-for-github-com opened this issue · 0 comments

mend-for-github-com commented
Vulnerable Library - pycrypto-2.6.1.tar.gz

Cryptographic modules for Python.

Library home page: https://files.pythonhosted.org/packages/60/db/645aa9af249f059cc3a368b118de33889219e0362141e75d4eaf6f80f163/pycrypto-2.6.1.tar.gz

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt,/sms/verify-signed-sms/requirements.txt

Found in HEAD commit: 78eeaa256d0c11e23f05f72c3b2ab90bcbb6083c

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (pycrypto version) Remediation Available
CVE-2013-7459 High 9.8 pycrypto-2.6.1.tar.gz Direct python2-crypto - 2.6.1-5;python-crypto - 2.6.1-5
CVE-2018-6594 High 7.5 pycrypto-2.6.1.tar.gz Direct python-crypto - 2.6.1-9

Details

CVE-2013-7459

Vulnerable Library - pycrypto-2.6.1.tar.gz

Cryptographic modules for Python.

Library home page: https://files.pythonhosted.org/packages/60/db/645aa9af249f059cc3a368b118de33889219e0362141e75d4eaf6f80f163/pycrypto-2.6.1.tar.gz

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt,/sms/verify-signed-sms/requirements.txt

Dependency Hierarchy:

  • pycrypto-2.6.1.tar.gz (Vulnerable Library)

Found in HEAD commit: 78eeaa256d0c11e23f05f72c3b2ab90bcbb6083c

Found in base branch: main

Vulnerability Details

Heap-based buffer overflow in the ALGnew function in block_templace.c in Python Cryptography Toolkit (aka pycrypto) allows remote attackers to execute arbitrary code as demonstrated by a crafted iv parameter to cryptmsg.py.

Publish Date: 2017-02-15

URL: CVE-2013-7459

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2013-7459

Release Date: 2017-02-15

Fix Resolution: python2-crypto - 2.6.1-5;python-crypto - 2.6.1-5

⛑️ Automatic Remediation is available for this issue

CVE-2018-6594

Vulnerable Library - pycrypto-2.6.1.tar.gz

Cryptographic modules for Python.

Library home page: https://files.pythonhosted.org/packages/60/db/645aa9af249f059cc3a368b118de33889219e0362141e75d4eaf6f80f163/pycrypto-2.6.1.tar.gz

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt,/sms/verify-signed-sms/requirements.txt

Dependency Hierarchy:

  • pycrypto-2.6.1.tar.gz (Vulnerable Library)

Found in HEAD commit: 78eeaa256d0c11e23f05f72c3b2ab90bcbb6083c

Found in base branch: main

Vulnerability Details

lib/Crypto/PublicKey/ElGamal.py in PyCrypto through 2.6.1 generates weak ElGamal key parameters, which allows attackers to obtain sensitive information by reading ciphertext data (i.e., it does not have semantic security in face of a ciphertext-only attack). The Decisional Diffie-Hellman (DDH) assumption does not hold for PyCrypto's ElGamal implementation.

Publish Date: 2018-02-03

URL: CVE-2018-6594

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-6594

Release Date: 2018-02-03

Fix Resolution: python-crypto - 2.6.1-9

⛑️ Automatic Remediation is available for this issue

⛑️ Automatic Remediation is available for this issue.