CVE-2013-1445: PyCrypto does not properly reseed PRNG before allowing access

May 17, 2022 (updated October 21, 2024)

The Crypto.Random.atfork function in PyCrypto before 2.6.1 does not properly reseed the pseudo-random number generator (PRNG) before allowing a child process to access it, which makes it easier for context-dependent attackers to obtain sensitive information by leveraging a race condition in which a child process is created and accesses the PRNG within the same rate-limit period as another process.

References

github.com/advisories/GHSA-x377-f64p-hf5j
github.com/dlitz/pycrypto/commit/19dcf7b15d61b7dc1a125a367151de40df6ef175
github.com/pycrypto/pycrypto
github.com/pypa/advisory-database/tree/main/vulns/pycrypto/PYSEC-2013-29.yaml
nvd.nist.gov/vuln/detail/CVE-2013-1445

Detect and mitigate CVE-2013-1445 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →