UBUNTU-CVE-2025-27498

See a problem?
Please try reporting it to the source first.

Source

https://ubuntu.com/security/CVE-2025-27498

Import Source

https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2025/UBUNTU-CVE-2025-27498.json

JSON Data

https://api.osv.dev/v1/vulns/UBUNTU-CVE-2025-27498

Related

CVE-2025-27498

Published

2025-03-03T17:15:00Z

Modified

2025-04-23T14:59:27Z

Summary

[none]

Details

aes-gcm is a pure Rust implementation of the AES-GCM. In decryptinplacedetached, the decrypted ciphertext (which is the correct ciphertext) is exposed even if the tag is incorrect. This is because in decryptinplace in asconcore.rs, tag verification causes an error to be returned with the plaintext contents still in buffer. The vulnerability is fixed in 0.4.3.

References

Affected packages

Ubuntu:24.10 / rust-aes-gcm

Package

Name: rust-aes-gcm
Purl: pkg:deb/ubuntu/rust-aes-gcm@0.10.3-2?arch=source&distro=oracular

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

0.*

0.10.3-2

Ecosystem specific

{
    "ubuntu_priority": "medium"
}

Ubuntu:24.04:LTS / rust-aes-gcm

Package

Name: rust-aes-gcm
Purl: pkg:deb/ubuntu/rust-aes-gcm@0.10.3-2?arch=source&distro=noble

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

0.*

0.10.3-1

0.10.3-2

Ecosystem specific

{
    "ubuntu_priority": "medium"
}

Ubuntu:25.04 / rust-aes-gcm

Package

Name: rust-aes-gcm
Purl: pkg:deb/ubuntu/rust-aes-gcm@0.10.3-2?arch=source&distro=plucky

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

0.*

0.10.3-2

Ecosystem specific

{
    "ubuntu_priority": "medium"
}