CVE-2016-9243

CWE-327 — Broken Cryptographic Algorithm CWE-20 — Improper Input Validation10 documents8 sources

Severity

7.5HIGH

EPSS

1.7%

top 17.99%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Cryptography.io Cryptography Canonical Ubuntu Linux Fedoraproject Fedora

Timeline

PublishedMar 27

Latest updateMay 17

Description

HKDF in cryptography before 1.5.2 returns an empty byte-string if used with a length less than algorithm.digest_size.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

▶PyPIcryptography< 1.5.3

▶Debianpython-cryptography< 1.5.3-1+3

▶NVDcryptography.io/cryptography1.5.2

Also affects: Fedora 23, 24, 25, Ubuntu Linux 16.04, 16.10

Patches

Patch: www.openwall.com ↗Patch: github.com ↗Patch: www.openwall.com ↗

🔴Vulnerability Details

OSV

Improper input validation in cryptography↗2022-05-17

▶

GHSA

Improper input validation in cryptography↗2022-05-17

▶

OSV

CVE-2016-9243: HKDF in cryptography before 1↗2017-03-27

▶

CVEList

CVE-2016-9243: HKDF in cryptography before 1↗2017-03-27

▶

📋Vendor Advisories

Ubuntu

python-cryptography vulnerability↗2016-11-28

▶

Red Hat

python-cryptography: HKDF might return an empty byte-string↗2016-11-05

▶

Debian

CVE-2016-9243: python-cryptography - HKDF in cryptography before 1.5.2 returns an empty byte-string if used with a le...↗2016

▶

💬Community

Bugzilla

CVE-2016-9243 python-cryptography: HKDF might return an empty byte-string↗2016-11-09

▶

Bugzilla

CVE-2016-9243 python-cryptography: HKDF might return an empty byte-string [fedora-all]↗2016-11-09

▶