[Cryptography-dev] Report a potential risk of secret leakage in project(cryptography_vectors)

Alex Gaynor alex.gaynor at gmail.com
Tue Aug 13 07:35:02 EDT 2024 

Hi,

This package intentionally contains cryptographic test vectors, none
of these credentials are intended to be secret.

Alex

On Tue, Aug 13, 2024 at 7:33 AM <jiawei_zhou at seu.edu.cn> wrote:
>
>
> Dear developers of the project(cryptography_vectors),
>
> We are software security researchers, currently conducting research on secret detection and leakage risk within the open-source ecosystem.
>
> In our analysis, we identified potential secret leakage risks in your project, cryptography_vectors.
>
> We provide the detail of our findings in the attachment, which allows you to locate the potential leaked secrets. Below is an interpretation of the attached data:
>
> {   'file': '',                 #The file containing the secret
>                                             #The project name, version or commit_hash may be reflected in the file path
>     'line_start': 1,    #location: Start line of the secret
>     'line_end': 28,             #location: End line of the secret
>     'col_start': 1,             #location: Start column of the secret
>     'col_end': 1,               #location: End column of the secret
>     'index_start': 0,   #location: Start index of the secret
>     'index_end': 1675,  #location: End index of the secret
> }
>
>
> Declaration: we hereby declare that we have *NOT* conducted any verification test or exploit on the identified secrets. we plan to publish related research papers in the future, and the relevant content MIGHT BE ACCESS TO THE PUBLIC due to the 90-day disclosure policy.
>
> Some advise:
>
> 1. If the leaked secret is sensitive and still valid, invalid and rotate the secret immediately.
> 2. Some secrets seem to be used only in testing environment. Although probably harmless, it is considered bad practices to include secrets for test environment in release builds.
>
> Best regards,
> _______________________________________________
> Cryptography-dev mailing list
> Cryptography-dev at python.org
> https://mail.python.org/mailman/listinfo/cryptography-dev



-- 
All that is necessary for evil to succeed is for good people to do nothing.

More information about the Cryptography-dev mailing list