CVE-2018-6594: Pycrypto generates weak key parameters
(updated )
lib/Crypto/PublicKey/ElGamal.py in PyCrypto through 2.6.1 generates weak ElGamal key parameters, which allows attackers to obtain sensitive information by reading ciphertext data (i.e., it does not have semantic security in face of a ciphertext-only attack). The Decisional Diffie-Hellman (DDH) assumption does not hold for PyCrypto’s ElGamal implementation.
References
- github.com/TElgamal/attack-on-pycrypto-elgamal
- github.com/advisories/GHSA-6528-wvf6-f6qg
- github.com/dlitz/pycrypto
- github.com/dlitz/pycrypto/issues/253
- github.com/pypa/advisory-database/tree/main/vulns/pycrypto/PYSEC-2018-97.yaml
- lists.debian.org/debian-lts-announce/2018/02/msg00018.html
- nvd.nist.gov/vuln/detail/CVE-2018-6594
- security.gentoo.org/glsa/202007-62
- usn.ubuntu.com/3616-1
- usn.ubuntu.com/3616-2
Detect and mitigate CVE-2018-6594 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →