CVE Vulnerabilities

CVE-2025-27498

Improper Verification of Cryptographic Signature

Published: Mar 03, 2025 | Modified: Mar 03, 2025
CVSS 3.x
N/A
Source:
NVD
CVSS 2.x
RedHat/V2
RedHat/V3
Ubuntu
MEDIUM

aes-gcm is a pure Rust implementation of the AES-GCM. In decrypt_in_place_detached, the decrypted ciphertext (which is the correct ciphertext) is exposed even if the tag is incorrect. This is because in decrypt_inplace in asconcore.rs, tag verification causes an error to be returned with the plaintext contents still in buffer. The vulnerability is fixed in 0.4.3.

Weakness

The product does not verify, or incorrectly verifies, the cryptographic signature for data.

References