Skip to content

Pycrypto generates weak key parameters

High severity GitHub Reviewed Published Jul 12, 2018 to the GitHub Advisory Database • Updated Jan 9, 2023

Package

pip pycrypto (pip)

Affected versions

<= 2.6.1

Patched versions

None

Description

lib/Crypto/PublicKey/ElGamal.py in PyCrypto through 2.6.1 generates weak ElGamal key parameters, which allows attackers to obtain sensitive information by reading ciphertext data (i.e., it does not have semantic security in face of a ciphertext-only attack). The Decisional Diffie-Hellman (DDH) assumption does not hold for PyCrypto's ElGamal implementation.

References

Published to the GitHub Advisory Database Jul 12, 2018
Reviewed Jun 16, 2020
Last updated Jan 9, 2023

Severity

High
7.5
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Weaknesses

CVE ID

CVE-2018-6594

GHSA ID

GHSA-6528-wvf6-f6qg

Source code

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.