CVE-2023-50782: 
Couchbase vulnerability analysis and mitigation

A flaw was discovered in the python-cryptography package (CVE-2023-50782) that could allow remote attackers to decrypt captured messages in TLS servers using RSA key exchanges. The vulnerability was disclosed on February 5, 2024, affecting multiple versions of the python-cryptography package up to version 42.0.0 (NVD, Red Hat).

The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. The issue is related to the OpenSSL implementation and requires a no-change rebuild of cryptography after OpenSSL fix is backported (Ubuntu). The vulnerability is categorized under CWE-203 (Observable Discrepancy) and CWE-208 (Observable Timing Discrepancy) (NVD).

The vulnerability can lead to exposure of confidential or sensitive data by allowing attackers to decrypt captured messages in TLS servers that utilize RSA key exchanges (NVD, Red Hat).

The vulnerability has been fixed in python-cryptography version 42.0.0 and later. Various Linux distributions have released patches: Ubuntu has fixed it in versions 38.0.4-4ubuntu0.23.10.2 for 23.10 and 3.4.8-1ubuntu2.2 for 22.04 LTS (Ubuntu). The issue requires OpenSSL 3.2.0 or later for complete mitigation (Debian).