CVE-2023-49083
5.9
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Calling load_pem_pkcs7_certificates or load_der_pkcs7_certificates could lead to a NULL-pointer dereference and segfault. Exploitation of this vulnerability poses a serious risk of Denial of Service (DoS) for any application attempting to deserialize a PKCS7 blob/certificate. The consequences extend to potential disruptions in system availability and stability. This vulnerability has been patched in version 41.0.6.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| pyca | cryptography | >= 3.1, < 41.0.6 | affected |
Weaknesses
- CWE-476: CWE-476: NULL Pointer Dereference
ADP Enrichment
CVE Program Container
Additional References
- https://github.com/pyca/cryptography/security/advisories/GHSA-jfhm-5ghh-2f97
- https://github.com/pyca/cryptography/pull/9926
- https://github.com/pyca/cryptography/commit/f09c261ca10a31fe41b1262306db7f8f1da0e48a
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QMNTYMUGFJSDBYBU22FUYBHFRZODRKXV/
- https://lists.debian.org/debian-lts-announce/2024/10/msg00012.html
CISA ADP Vulnrichment
- SSVC:
- Exploitation: poc
- Automatable: no
- Technical Impact: partial
References
- https://github.com/pyca/cryptography/security/advisories/GHSA-jfhm-5ghh-2f97
- https://github.com/pyca/cryptography/pull/9926
- https://github.com/pyca/cryptography/commit/f09c261ca10a31fe41b1262306db7f8f1da0e48a
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QMNTYMUGFJSDBYBU22FUYBHFRZODRKXV/
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.