Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nvd[email protected]NVD:CVE-2023-42811
HistorySep 22, 2023 - 4:15 p.m.

CVE-2023-42811

2023-09-2216:15:10
CWE-347
[email protected]
web.nvd.nist.gov
7
aes-gcm
rust implementation
decrypt in place
chosen ciphertext attacks
version 0.10.3 fix

CVSS3

5.5

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

AI Score

5

Confidence

High

EPSS

0.001

Percentile

16.8%

JSON

aes-gcm is a pure Rust implementation of the AES-GCM. Starting in version 0.10.0 and prior to version 0.10.3, in the AES GCM implementation of decrypt_in_place_detached, the decrypted ciphertext (i.e. the correct plaintext) is exposed even if tag verification fails. If a program using the aes-gcm crate’s decrypt_in_place* APIs accesses the buffer after decryption failure, it will contain a decryption of an unauthenticated input. Depending on the specific nature of the program this may enable Chosen Ciphertext Attacks (CCAs) which can cause a catastrophic breakage of the cipher including full plaintext recovery. Version 0.10.3 contains a fix for this issue.

Affected configurations

Nvd
Node
aes-gcm_projectaes-gcmRange0.10.00.10.3rust
Node
fedoraprojectfedoraMatch37
OR
fedoraprojectfedoraMatch38
OR
fedoraprojectfedoraMatch39
VendorProductVersionCPE
aes-gcm_projectaes-gcm*cpe:2.3:a:aes-gcm_project:aes-gcm:*:*:*:*:*:rust:*:*
fedoraprojectfedora37cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*
fedoraprojectfedora38cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:*
fedoraprojectfedora39cpe:2.3:o:fedoraproject:fedora:39:*:*:*:*:*:*:*

Related

prion 1
cvelist 1
github 1
fedora 6
nessus 5
osv 3
openvas 5
cve 1
prion
prion
Design/Logic Flaw
2023-09-22 16:15:00
cvelist
cvelist
CVE-2023-42811 AEADs/aes-gcm: Plaintext exposed in decrypt_in_place_detached even on tag verification failure
2023-09-22 15:19:15
github
github
AEADs/aes-gcm: Plaintext exposed in decrypt_in_place_detached even on tag verification failure
2023-09-22 16:11:47
fedora
fedora
[SECURITY] Fedora 39 Update: rust-aes-gcm-0.10.3-1.fc39
2023-10-03 00:21:14
[SECURITY] Fedora 38 Update: rust-aes-gcm-0.10.3-1.fc38
2023-10-03 02:23:51
[SECURITY] Fedora 39 Update: firecracker-1.4.1-3.fc39
2023-10-03 00:21:14
nessus
nessus
SUSE SLED15 / SLES15 / openSUSE 15 Security Update : rage-encryption (SUSE-SU-2023:4060-1)
2023-10-13 00:00:00
Fedora 39 : firecracker / rust-aes-gcm (2023-17bdd59177)
2023-11-07 00:00:00
Fedora 37 : firecracker / rust-aes-gcm (2023-bc40c7995e)
2023-10-02 00:00:00
osv
osv
AEADs/aes-gcm: Plaintext exposed in decrypt_in_place_detached even on tag verification failure
2023-09-22 16:11:47
shadowsocks-rust-1.16.2-1.1 on GA media
2024-06-15 00:00:00
CVE-2023-42811
2023-09-22 16:15:10
openvas
openvas
Fedora: Security Advisory (FEDORA-2023-17bdd59177)
2024-09-10 00:00:00
Fedora: Security Advisory for rust-aes-gcm (FEDORA-2023-98f44d1c4c)
2023-10-04 00:00:00
openSUSE: Security Advisory for rage (SUSE-SU-2023:4060-1)
2024-03-04 00:00:00
cve
cve
CVE-2023-42811
2023-09-22 16:15:10

CVSS3

5.5

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

AI Score

5

Confidence

High

EPSS

0.001

Percentile

16.8%

JSON
Related for NVD:CVE-2023-42811
prion1cvelist1github1fedora6nessus5osv3openvas5cve1