Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
cveGitHub_MCVE-2023-42811
HistorySep 22, 2023 - 4:15 p.m.

CVE-2023-42811

2023-09-2216:15:10
CWE-347
GitHub_M
web.nvd.nist.gov
27
cve-2023-42811
aes-gcm
rust
aes-gcm
decrypt
encryption
vulnerability

CVSS3

5.5

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

AI Score

5.3

Confidence

High

EPSS

0.001

Percentile

16.8%

JSON

aes-gcm is a pure Rust implementation of the AES-GCM. Starting in version 0.10.0 and prior to version 0.10.3, in the AES GCM implementation of decrypt_in_place_detached, the decrypted ciphertext (i.e. the correct plaintext) is exposed even if tag verification fails. If a program using the aes-gcm crate’s decrypt_in_place* APIs accesses the buffer after decryption failure, it will contain a decryption of an unauthenticated input. Depending on the specific nature of the program this may enable Chosen Ciphertext Attacks (CCAs) which can cause a catastrophic breakage of the cipher including full plaintext recovery. Version 0.10.3 contains a fix for this issue.

Affected configurations

Nvd
Vulners
Node
aes-gcm_projectaes-gcmRange0.10.00.10.3rust
Node
fedoraprojectfedoraMatch37
OR
fedoraprojectfedoraMatch38
OR
fedoraprojectfedoraMatch39
VendorProductVersionCPE
aes-gcm_projectaes-gcm*cpe:2.3:a:aes-gcm_project:aes-gcm:*:*:*:*:*:rust:*:*
fedoraprojectfedora37cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*
fedoraprojectfedora38cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:*
fedoraprojectfedora39cpe:2.3:o:fedoraproject:fedora:39:*:*:*:*:*:*:*

CNA Affected

[
  {
    "vendor": "RustCrypto",
    "product": "AEADs",
    "versions": [
      {
        "version": ">= 0.10.0, < 0.10.3",
        "status": "affected"
      }
    ]
  }
]

Related

prion 1
cvelist 1
openvas 5
nessus 5
github 1
fedora 6
osv 3
nvd 1
prion
prion
Design/Logic Flaw
2023-09-22 16:15:00
cvelist
cvelist
CVE-2023-42811 AEADs/aes-gcm: Plaintext exposed in decrypt_in_place_detached even on tag verification failure
2023-09-22 15:19:15
openvas
openvas
Fedora: Security Advisory (FEDORA-2023-17bdd59177)
2024-09-10 00:00:00
Fedora: Security Advisory for rust-aes-gcm (FEDORA-2023-98f44d1c4c)
2023-10-04 00:00:00
openSUSE: Security Advisory for rage (SUSE-SU-2023:4060-1)
2024-03-04 00:00:00
nessus
nessus
Fedora 37 : firecracker / rust-aes-gcm (2023-bc40c7995e)
2023-10-02 00:00:00
SUSE SLED15 / SLES15 / openSUSE 15 Security Update : rage-encryption (SUSE-SU-2023:4060-1)
2023-10-13 00:00:00
Fedora 39 : firecracker / rust-aes-gcm (2023-17bdd59177)
2023-11-07 00:00:00
github
github
AEADs/aes-gcm: Plaintext exposed in decrypt_in_place_detached even on tag verification failure
2023-09-22 16:11:47
fedora
fedora
[SECURITY] Fedora 39 Update: rust-aes-gcm-0.10.3-1.fc39
2023-10-03 00:21:14
[SECURITY] Fedora 38 Update: rust-aes-gcm-0.10.3-1.fc38
2023-10-03 02:23:51
[SECURITY] Fedora 39 Update: firecracker-1.4.1-3.fc39
2023-10-03 00:21:14
osv
osv
AEADs/aes-gcm: Plaintext exposed in decrypt_in_place_detached even on tag verification failure
2023-09-22 16:11:47
shadowsocks-rust-1.16.2-1.1 on GA media
2024-06-15 00:00:00
CVE-2023-42811
2023-09-22 16:15:10
nvd
nvd
CVE-2023-42811
2023-09-22 16:15:10

CVSS3

5.5

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

AI Score

5.3

Confidence

High

EPSS

0.001

Percentile

16.8%

JSON
Related for CVE-2023-42811
prion1cvelist1openvas5nessus5github1fedora6osv3nvd1