Cryptography
CVE-2016-9243
HIGH
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Lifecycle Timeline
1Blast Radius
ecosystem impact- 5 pypi packages depend on cryptography (4 direct, 1 indirect)
Ecosystem-wide dependent count for version 1.5.3.
DescriptionCVE.org
HKDF in cryptography before 1.5.2 returns an empty byte-string if used with a length less than algorithm.digest_size.
AnalysisAI
HKDF in cryptography before 1.5.2 returns an empty byte-string if used with a length less than algorithm.digest_size. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
Technical ContextAI
HKDF in cryptography before 1.5.2 returns an empty byte-string if used with a length less than algorithm.digest_size. Affected products include: Cryptography.Io Cryptography, Fedoraproject Fedora, Canonical Ubuntu Linux. Version information: before 1.5.2.
RemediationAI
A vendor patch is available. Apply the latest security update as soon as possible. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.
More in Cryptography
View allcryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Rated high sever
The cryptography package before 41.0.2 for Python mishandles SSH certificates that have critical options. Rated high sev
cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Rated medium sev
Private-key information disclosure in the pyca/cryptography Python package (versions <= 46.0.4) arises because public-ke
A flaw was found in the python-cryptography package. Rated high severity (CVSS 7.5), this vulnerability is remotely expl
cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Rated high sever
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today