{ "threat_severity" : "Moderate", "public_date" : "2024-01-05T00:00:00Z", "bugzilla" : { "description" : "pycryptodome: side-channel leakage for OAEP decryption in PyCryptodome and pycryptodomex", "id" : "2257028", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2257028" }, "cvss3" : { "cvss3_base_score" : "5.9", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "status" : "verified" }, "cwe" : "CWE-203", "details" : [ "PyCryptodome and pycryptodomex before 3.19.1 allow side-channel leakage for OAEP decryption, exploitable for a Manger attack.", "A flaw was found in PyCryptodome/pycryptodomex which may allow for side-channel leakage when performing OAEP decryption, which could be exploited to carry out a Manger attack." ], "statement" : "Red Hat Satellite ship affected version of pycryptodome for pulp_container, however, product is not vulnerable as it doesn't utilize OAEP algorithm technique. Red Hat Product Security has classified its impact as Low for Red Hat Satellite; future updates expected to address this issue.\nRed Hat OpenStack 16.1 and 16.2 versions include affected python-scciclient embedded through the python-crypto package, however, python-scciclient employs only one algorithm, which is AES. While the version of python-crypto we ship may be susceptible to a particular CVE, since affected algorithms are not utilized by OpenStack, the attack cannot be executed to exploit an OpenStack deployment", "affected_release" : [ { "product_name" : "Red Hat Ansible Automation Platform 2.4 for RHEL 8", "release_date" : "2024-02-29T00:00:00Z", "advisory" : "RHSA-2024:1057", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2.4::el8", "package" : "python3x-pycryptodomex-0:3.20.0-1.el8ap" }, { "product_name" : "Red Hat Ansible Automation Platform 2.4 for RHEL 9", "release_date" : "2024-02-29T00:00:00Z", "advisory" : "RHSA-2024:1057", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2.4::el9", "package" : "python-pycryptodomex-0:3.20.0-1.el9ap" }, { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2024-05-22T00:00:00Z", "advisory" : "RHSA-2024:2968", "cpe" : "cpe:/a:redhat:enterprise_linux:8", "package" : "fence-agents-0:4.2.1-129.el8", "impact" : "moderate" }, { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2024-05-22T00:00:00Z", "advisory" : "RHSA-2024:2952", "cpe" : "cpe:/a:redhat:enterprise_linux:8::highavailability", "package" : "resource-agents-0:4.9.0-54.el8", "impact" : "moderate" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2024-04-30T00:00:00Z", "advisory" : "RHSA-2024:2132", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "fence-agents-0:4.10.0-62.el9", "impact" : "moderate" }, { "product_name" : "Red Hat Enterprise Linux 9.0 Extended Update Support", "release_date" : "2024-03-05T00:00:00Z", "advisory" : "RHSA-2024:1155", "cpe" : "cpe:/a:redhat:rhel_eus:9.0", "package" : "fence-agents-0:4.10.0-20.el9_0.11" }, { "product_name" : "Red Hat Satellite 6.15 for RHEL 8", "release_date" : "2024-04-23T00:00:00Z", "advisory" : "RHSA-2024:2010", "cpe" : "cpe:/a:redhat:satellite:6.15::el8", "package" : "python-pycryptodomex-0:3.20.0-1.el8pc", "impact" : "low" }, { "product_name" : "Red Hat Satellite 6.15 for RHEL 8", "release_date" : "2024-04-23T00:00:00Z", "advisory" : "RHSA-2024:2010", "cpe" : "cpe:/a:redhat:satellite_capsule:6.15::el8", "package" : "python-pycryptodomex-0:3.20.0-1.el8pc", "impact" : "low" } ], "package_state" : [ { "product_name" : "Red Hat Ansible Automation Platform 2", "fix_state" : "Not affected", "package_name" : "python3x-jose", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2" }, { "product_name" : "Red Hat Ansible Automation Platform 2", "fix_state" : "Not affected", "package_name" : "python-jose", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Out of support scope", "package_name" : "fence-agents", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Out of support scope", "package_name" : "resource-agents", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Not affected", "package_name" : "pysnmp", "cpe" : "cpe:/a:redhat:openshift:4" }, { "product_name" : "Red Hat OpenStack Platform 16.1", "fix_state" : "Not affected", "package_name" : "python-crypto", "cpe" : "cpe:/a:redhat:openstack:16.1", "impact" : "low" }, { "product_name" : "Red Hat OpenStack Platform 16.2", "fix_state" : "Not affected", "package_name" : "python-crypto", "cpe" : "cpe:/a:redhat:openstack:16.2", "impact" : "low" }, { "product_name" : "Red Hat OpenStack Platform 17.1", "fix_state" : "Not affected", "package_name" : "pysnmp", "cpe" : "cpe:/a:redhat:openstack:17.1" }, { "product_name" : "Red Hat OpenStack Platform 18.0", "fix_state" : "Not affected", "package_name" : "pysnmp", "cpe" : "cpe:/a:redhat:openstack:18.0" }, { "product_name" : "Red Hat Storage 3", "fix_state" : "Out of support scope", "package_name" : "pysnmp", "cpe" : "cpe:/a:redhat:storage:3" }, { "product_name" : "Service Telemetry Framework 1.5", "fix_state" : "Not affected", "package_name" : "stf/prometheus-webhook-snmp", "cpe" : "cpe:/a:redhat:stf:1.5" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2023-52323\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-52323\nhttps://github.com/Legrandin/pycryptodome/blob/master/Changelog.rst\nhttps://pypi.org/project/pycryptodomex/#history" ], "name" : "CVE-2023-52323", "csaw" : false }