CVE-2016-9243

HIGH EPSS 87.4%
Published Mar 27, 20179y ago · Modified Jun 17, 20262w ago
7.5 CVSS 3.1
High
Find Similar
Published Mar 27, 2017 9y ago
Last Modified Jun 17, 2026 2w ago

Description

HKDF in cryptography before 1.5.2 returns an empty byte-string if used with a length less than algorithm.digest_size.

CVSS Details

Base Score
7.5
Exploitability
3.9
Impact
3.6
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality None
Integrity High
Availability None

Threat Intelligence

EPSS Exploit Probability
87.4% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Affected Products 6

VendorProductVersionRange
cryptography.iocryptography* ≤1.5.2
fedoraprojectfedora23any
fedoraprojectfedora24any
fedoraprojectfedora25any
canonicalubuntu_linux16.04any
canonicalubuntu_linux16.10any

References 9

  • openwall.com http://www.openwall.com/lists/oss-security/2016/11/09/2
    Mailing ListPatchVDB Entry
  • securityfocus.com http://www.securityfocus.com/bid/94216
    Broken LinkThird Party AdvisoryVDB Entry
  • ubuntu.com http://www.ubuntu.com/usn/USN-3138-1
    Third Party Advisory
  • cryptography.io https://cryptography.io/en/latest/changelog
    Release NotesThird Party Advisory
  • github.com https://github.com/pyca/cryptography/commit/b924696b2e8731f39696584d12cceeb3aeb2d874
    PatchThird Party Advisory
  • github.com https://github.com/pyca/cryptography/issues/3211
    Issue TrackingThird Party Advisory
  • lists.fedoraproject.org https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5R2ZOBMPWDFFHUZ6QOZZY36A6H5CGJXL/
    Mailing ListThird Party Advisory
  • lists.fedoraproject.org https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/U23KDR2M2N7W2ZSREG63BVW7D4VC6CIZ/
    Mailing ListThird Party Advisory
  • lists.fedoraproject.org https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WQ5G7KHKZC4SI23JE7277KZXM57GEQKT/
    Mailing ListThird Party Advisory

Remediation

  • openwall.com http://www.openwall.com/lists/oss-security/2016/11/09/2
    Mailing ListPatchVDB Entry
  • github.com https://github.com/pyca/cryptography/commit/b924696b2e8731f39696584d12cceeb3aeb2d874
    PatchThird Party Advisory