Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
AEADs/aes-gcm: Plaintext exposed in decrypt_in_place_detached even on tag verification failure
Vulnerability Description
aes-gcm is a pure Rust implementation of the AES-GCM. Starting in version 0.10.0 and prior to version 0.10.3, in the AES GCM implementation of decrypt_in_place_detached, the decrypted ciphertext (i.e. the correct plaintext) is exposed even if tag verification fails. If a program using the `aes-gcm` crate's `decrypt_in_place*` APIs accesses the buffer after decryption failure, it will contain a decryption of an unauthenticated input. Depending on the specific nature of the program this may enable Chosen Ciphertext Attacks (CCAs) which can cause a catastrophic breakage of the cipher including full plaintext recovery. Version 0.10.3 contains a fix for this issue.
CVSS Information
CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:H/A:N
Vulnerability Type
密码学签名的验证不恰当
Vulnerability Title
aes-gcm 数据伪造问题漏洞
Vulnerability Description
aes-gcm是aes-gcm开源的一种加密算法。 aes-gcm 0.10.0至0.10.3之前版本存在数据伪造问题漏洞,该漏洞源于在AES GCM解密实现中,即使标签验证失败,也会以decrypt_in_place_detached形式公开明文。
CVSS Information
N/A
Vulnerability Type
N/A