CVE-2023-42811
Description
aes-gcm is a pure Rust implementation of the AES-GCM. Starting in version 0.10.0 and prior to version 0.10.3, in the AES GCM implementation of decrypt_in_place_detached, the decrypted ciphertext (i.e. the correct plaintext) is exposed even if tag verification fails. If a program using the aes-gcm crate's decrypt_in_place* APIs accesses the buffer after decryption failure, it will contain a decryption of an unauthenticated input. Depending on the specific nature of the program this may enable Chosen Ciphertext Attacks (CCAs) which can cause a catastrophic breakage of the cipher including full plaintext recovery. Version 0.10.3 contains a fix for this issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
aes-gcmcrates.io | >= 0.10.0, < 0.10.3 | 0.10.3 |
Affected products
5- ghsa-coords4 versionspkg:cargo/aes-gcmpkg:rpm/opensuse/rage-encryption&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/shadowsocks-rust&distro=openSUSE%20Tumbleweedpkg:rpm/suse/rage-encryption&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP5
>= 0.10.0, < 0.10.3+ 3 more
- (no CPE)range: >= 0.10.0, < 0.10.3
- (no CPE)range: < 0.9.2+0-150500.3.3.1
- (no CPE)range: < 1.16.2-1.1
- (no CPE)range: < 0.9.2+0-150500.3.3.1
- Range: >= 0.10.0, < 0.10.3
Patches
Vulnerability mechanics
References
11- github.com/RustCrypto/AEADs/security/advisories/GHSA-423w-p2w9-r7vqnvdExploitVendor AdvisoryWEB
- github.com/advisories/GHSA-423w-p2w9-r7vqghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-42811ghsaADVISORY
- docs.rs/aes-gcm/latest/src/aes_gcm/lib.rs.htmlnvdProductWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ROBB6TBDAGEQ2WIINR34F3DPSN3FND6KghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ROBB6TBDAGEQ2WIINR34F3DPSN3FND6K/nvdMailing List
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RYQCICN6BVC6I75O3F6W4VK4J3MOYDJUghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RYQCICN6BVC6I75O3F6W4VK4J3MOYDJU/nvdMailing List
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U67ZSMNX5V3WTBYPUYF45PSFG4SF5SGFghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U67ZSMNX5V3WTBYPUYF45PSFG4SF5SGF/nvdMailing List
- rustsec.org/advisories/RUSTSEC-2023-0096.htmlghsaWEB
News mentions
0No linked articles in our index yet.