I run safety via pipenv check : <p di

I guess this should be: <div class="snippet-clipboard-content notranslate position

This is fixed now: <div class="Box-hea

False positive for CVE-2018-10903 : cryptography == 2.3 about safety-db HOT 5 CLOSED

pyupio commented on July 28, 2024 8

False positive for CVE-2018-10903 : cryptography == 2.3

from safety-db.

Comments (5)

benhowes commented on July 28, 2024 1

I'm seeing this also. I've checked the cache file from pyup.io (via pipenv) and the following appears in the cache.json:

         "cryptography":[
            "<1.5.3",
            "<0.9.1",
            "<1.0.2",
            ">=1.9.0",
            "<2.3"
         ],

This matches all versions of cryptography!

from safety-db.

shtratos commented on July 28, 2024

I guess this should be:

         "cryptography":[
            "<1.5.3",
            "<0.9.1",
            "<1.0.2",
            ">=1.9.0,<2.3"
         ],

from safety-db.

shtratos commented on July 28, 2024

This is fixed now:

safety-db/data/insecure_full.json

Lines 1050 to 1056 in a2d448c

 "advisory": "python-cryptography versions >=1.9.0 and <2.3 did not enforce a minimum tag length for finalize_with_tag API. If a user did not validate the input length prior to passing it to finalize_with_tag an attacker could craft an invalid payload with a shortened tag (e.g. 1 byte) such that they would have a 1 in 256 chance of passing the MAC check. GCM tag forgeries can cause key leakage.", 

 "cve": "CVE-2018-10903", 

 "id": "pyup.io-36351", 

 "specs": [ 

 "<=2.2.2" 

 ], 

 "v": "<=2.2.2"

from safety-db.

donovan commented on July 28, 2024

Hi, it looks like this fix results in false positives for cryptography versions <1.9.0.

╞════════════════════════════╤═══════════╤══════════════════════════╤══════════╡
│ package                    │ installed │ affected                 │ ID       │
╞════════════════════════════╧═══════════╧══════════════════════════╧══════════╡
│ cryptography               │ 1.8.2     │ <=2.2.2                  │ 36351    │
╞══════════════════════════════════════════════════════════════════════════════╡
│ python-cryptography versions >=1.9.0 and <2.3 did not enforce a minimum tag  │
│ length for finalize_with_tag API. If a user did not validate the input lengt │
│ h prior to passing it to finalize_with_tag an attacker could craft an invali │
│ d payload with a shortened tag (e.g. 1 byte) such that they would have a 1 i │
│ n 256 chance of passing the MAC check. GCM tag forgeries can cause key leaka │
│ ge.                                                                          │
╘══════════════════════════════════════════════════════════════════════════════╛

1.8.2 is not vulnerable as per the full report yet it is triggering a failed check.

Do you want me to open a new issue?

from safety-db.

GreenGremlin commented on July 28, 2024

I'm getting the same false positive for version 1.8.2.

from safety-db.

False positive for CVE-2018-10903 : cryptography == 2.3 about safety-db HOT 5 CLOSED

Comments (5)

Related Issues (20)

Recommend Projects

React

Vue.js

Typescript

TensorFlow

Django

Laravel

D3

Recommend Topics

javascript

web

server

Machine learning

Visualization

Game

Recommend Org

Facebook

Microsoft

Google

Alibaba

D3

Tencent

	"advisory": "python-cryptography versions >=1.9.0 and <2.3 did not enforce a minimum tag length for finalize_with_tag API. If a user did not validate the input length prior to passing it to finalize_with_tag an attacker could craft an invalid payload with a shortened tag (e.g. 1 byte) such that they would have a 1 in 256 chance of passing the MAC check. GCM tag forgeries can cause key leakage.",
	"cve": "CVE-2018-10903",
	"id": "pyup.io-36351",
	"specs": [
	"<=2.2.2"
	],
	"v": "<=2.2.2"