Use of a Broken or Risky Cryptographic Algorithm [Snyk Vulnerability]
r-doherty opened this issue · 1 comments
Issue:
Use of a Broken or Risky Cryptographic Algorithm
Vulnerability Codes:
CVSS 5.9
SNYK-PYTHON-PYOPENSSL-6149520
https://app.snyk.io/vuln/SNYK-PYTHON-PYOPENSSL-6149520
Security information:
Factors contributing to the scoring:
Snyk: CVSS 5.9 - Medium Severity
NVD: CVSS 6.5 Medium Severity
Overview:
Affected versions of this package are vulnerable to Use of a Broken or Risky Cryptographic Algorithm due to an issue in the POLY1305 MAC implementation on PowerPC CPUs. An attacker can corrupt the application state and cause incorrect calculations or potential denial of service by influencing the use of the POLY1305 MAC algorithm.
Note:
This is only exploitable if the attacker has the ability to affect the algorithm's usage and the application relies on non-volatile XMM registers.
pyOpenSSL depends on cryptography to provide OpenSSL. cryptography has shipped wheels with OpenSSL 3.2.1 (which resolves this issue) since January 30, 2024 (the day OpenSSL released the fix). However, please note that cryptography, by design, can be compiled against numerous versions of OpenSSL and is distributed in a variety of ways (especially by Linux distributions, who dynamically link it against their system OpenSSL/LibreSSL and patch that independently).
Ultimately this is yet another example of an incorrect and misleading snyk issue and there's no action to be taken here on our end.