https://github.com/pyca/cryptography/issues/5615

https://github.com/pyca/cryptography/blob/master/CHANGELOG.rst

https://github.com/pyca/cryptography/compare/3.3.1...3.3.2

FEDORA-2021-8e36e7ed1a

The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2021:3254 advisory.

  - python-cryptography: Bleichenbacher timing oracle attack against RSA decryption (CVE-2020-25659)

  - python: Unsafe use of eval() on data retrieved via HTTP in the test suite (CVE-2020-27619)

  - python-lxml: mXSS due to the use of improper parser (CVE-2020-27783)

  - python-jinja2: ReDoS vulnerability due to the sub-pattern (CVE-2020-28493)

  - python-cryptography: Large inputs for symmetric encryption can trigger integer overflow leading to buffer     overflow (CVE-2020-36242)

  - python-babel: Relative path traversal allows attacker to load arbitrary locale files and execute arbitrary     code (CVE-2021-20095)

  - python: Web cache poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a semicolon in     query parameters (CVE-2021-23336)

  - python-lxml: Missing input sanitization for formaction HTML5 attributes may lead to XSS (CVE-2021-28957)

  - python-ipaddress: Improper input validation of octal strings (CVE-2021-29921)

  - python: Stack-based buffer overflow in PyCArg_repr in _ctypes/callproc.c (CVE-2021-3177)

  - python-urllib3: ReDoS in the parsing of authority part of URL (CVE-2021-33503)

  - python: Information disclosure via pydoc (CVE-2021-3426)

  - python-pip: Incorrect handling of unicode separators in git references (CVE-2021-3572)

  - python: urllib: Regular expression DoS in AbstractBasicAuthHandler (CVE-2021-3733)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

According to the version of the python-cryptography package installed, the EulerOS installation on the remote host is affected by the following vulnerability :

  - In the cryptography package before 3.3.2 for Python,     certain sequences of update calls to symmetrically     encrypt multi-GB values could result in an integer     overflow and buffer overflow, as demonstrated by the     Fernet class.(CVE-2020-36242)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the version of the python-cryptography package installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerability :

  - In the cryptography package before 3.3.2 for Python,     certain sequences of update calls to symmetrically     encrypt multi-GB values could result in an integer     overflow and buffer overflow, as demonstrated by the     Fernet class.(CVE-2020-36242)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

An update of the python package has been released.

The remote Oracle Linux 8 host has a package installed that is affected by multiple vulnerabilities as referenced in the ELSA-2021-1608 advisory.

  - python-cryptography 3.2 is vulnerable to Bleichenbacher timing attacks in the RSA decryption API, via     timed processing of valid PKCS#1 v1.5 ciphertext. (CVE-2020-25659)

  - In the cryptography package before 3.3.2 for Python, certain sequences of update calls to symmetrically     encrypt multi-GB values could result in an integer overflow and buffer overflow, as demonstrated by the     Fernet class. (CVE-2020-36242)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

An update of the python3 package has been released.

The remote CentOS Linux 8 host has a package installed that is affected by multiple vulnerabilities as referenced in the CESA-2021:1608 advisory.

  - python-cryptography: bleichenbacher timing oracle attack against RSA decryption (CVE-2020-25659)

  - python-cryptography: certain sequences of update() calls when symmetrically encrypting very large payloads     could result in an integer overflow and lead to buffer overflows (CVE-2020-36242)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has a package installed that is affected by multiple vulnerabilities as referenced in the RHSA-2021:1608 advisory.

  - python-cryptography: Bleichenbacher timing oracle attack against RSA decryption (CVE-2020-25659)

  - python-cryptography: Large inputs for symmetric encryption can trigger integer overflow leading to buffer     overflow (CVE-2020-36242)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

This update for python-cryptography fixes the following issues :

CVE-2020-36242: Using the Fernet class to symmetrically encrypt multi gigabyte values could result in an integer overflow and buffer overflow (bsc#1182066).

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for python-cryptography fixes the following issues :

  - CVE-2020-36242: Using the Fernet class to symmetrically     encrypt multi gigabyte values could result in an integer     overflow and buffer overflow (bsc#1182066).

This update was imported from the SUSE:SLE-15-SP2:Update update project.

The remote Fedora 33 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2021-8e36e7ed1a advisory.

  - In the cryptography package before 3.3.2 for Python, certain sequences of update calls to symmetrically     encrypt multi-GB values could result in an integer overflow and buffer overflow, as demonstrated by the     Fernet class. (CVE-2020-36242)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
152781	RHEL 7 : rh-python38 (RHSA-2021:3254)	Nessus	Red Hat Local Security Checks	critical
152311	EulerOS 2.0 SP9 : python-cryptography (EulerOS-SA-2021-2278)	Nessus	Huawei Local Security Checks	critical
152275	EulerOS 2.0 SP9 : python-cryptography (EulerOS-SA-2021-2252)	Nessus	Huawei Local Security Checks	critical
151560	EulerOS Virtualization 2.9.1 : python-cryptography (EulerOS-SA-2021-2178)	Nessus	Huawei Local Security Checks	critical
151546	EulerOS Virtualization 2.9.0 : python-cryptography (EulerOS-SA-2021-2208)	Nessus	Huawei Local Security Checks	critical
150439	Photon OS 1.0: Python PHSA-2021-1.0-0400	Nessus	PhotonOS Local Security Checks	critical
149969	Oracle Linux 8 : python-cryptography (ELSA-2021-1608)	Nessus	Oracle Linux Local Security Checks	critical
149836	Photon OS 4.0: Python3 PHSA-2021-4.0-0027	Nessus	PhotonOS Local Security Checks	critical
149831	Photon OS 2.0: Python PHSA-2021-2.0-0347	Nessus	PhotonOS Local Security Checks	critical
149819	Photon OS 3.0: Python PHSA-2021-3.0-0239	Nessus	PhotonOS Local Security Checks	critical
149778	CentOS 8 : python-cryptography (CESA-2021:1608)	Nessus	CentOS Local Security Checks	critical
149686	RHEL 8 : python-cryptography (RHSA-2021:1608)	Nessus	Red Hat Local Security Checks	critical
147060	SUSE SLES15 Security Update : python-cryptography (SUSE-SU-2021:0696-1)	Nessus	SuSE Local Security Checks	critical
146966	SUSE SLES12 Security Update : python-cryptography (SUSE-SU-2021:0675-1)	Nessus	SuSE Local Security Checks	critical
146923	SUSE SLED15 / SLES15 Security Update : python-cryptography (SUSE-SU-2021:0594-1)	Nessus	SuSE Local Security Checks	critical
146898	openSUSE Security Update : python-cryptography (openSUSE-2021-349)	Nessus	SuSE Local Security Checks	critical
146462	Fedora 33 : python-cryptography (2021-8e36e7ed1a)	Nessus	Fedora Local Security Checks	critical

CVE-2020-36242

critical

New! CVE Severity Now Using CVSS v3

Description

References

Details

Risk Information

CVSS v2

CVSS v3

Vulnerable Software

Configuration 1

Configuration 2

Tenable Plugins

critical

critical

critical

critical

critical

critical

critical

critical

critical

critical

critical

critical

critical

critical

critical

critical

critical