CVE-2023-49083

EUVD-2023-0060
cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Calling `load_pem_pkcs7_certificates` or `load_der_pkcs7_certificates` could lead to a NULL-pointer dereference and segfault. Exploitation of this vulnerability poses a serious risk of Denial of Service (DoS) for any application attempting to deserialize a PKCS7 blob/certificate. The consequences extend to potential disruptions in system availability and stability. This vulnerability has been patched in version 41.0.6.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
5.9 MEDIUM
NETWORK
HIGH
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
GitHub_MCNA
5.9 MEDIUM
NETWORK
HIGH
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 79%
Affected Products (NVD)
VendorProductVersion
cryptography.iocryptography
3.1 ≤
𝑥
< 41.0.6
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
python-cryptography
bookworm
38.0.4-3+deb12u1
fixed
bookworm (security)
vulnerable
bullseye
vulnerable
bullseye (security)
3.3.2-1+deb11u1
fixed
buster
not-affected
sid
43.0.0-1
fixed
trixie
43.0.0-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
python-cryptography
bionic
not-affected
focal
not-affected
jammy
Fixed 3.4.8-1ubuntu2.1
released
lunar
Fixed 38.0.4-2ubuntu0.1
released
mantic
Fixed 38.0.4-4ubuntu0.23.10.1
released
trusty
ignored
xenial
not-affected
Common Weakness Enumeration
References
https://github.com/pyca/cryptography/commit/f09c261ca10a31fe41b1262306db7f8f1da0e48a
https://github.com/pyca/cryptography/pull/9926
https://github.com/pyca/cryptography/security/advisories/GHSA-jfhm-5ghh-2f97
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QMNTYMUGFJSDBYBU22FUYBHFRZODRKXV/
https://github.com/pyca/cryptography/commit/f09c261ca10a31fe41b1262306db7f8f1da0e48a
https://github.com/pyca/cryptography/pull/9926
https://github.com/pyca/cryptography/security/advisories/GHSA-jfhm-5ghh-2f97
https://lists.debian.org/debian-lts-announce/2024/10/msg00012.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QMNTYMUGFJSDBYBU22FUYBHFRZODRKXV/