CVE-2020-36242 - In the cryptography package before 3.3.2 for Python, certain sequences of update calls to symmetrica

CVE-2020-36242

Summary

In the cryptography package before 3.3.2 for Python, certain sequences of update calls to symmetrically encrypt multi-GB values could result in an integer overflow and buffer overflow, as demonstrated by the Fernet class.

References

Vulnerable Configurations

cpe:2.3:a:cryptography.io:cryptography:0.1:*:*:*:*:python:*:*
cpe:2.3:a:cryptography.io:cryptography:0.1:*:*:*:*:python:*:*
cpe:2.3:a:cryptography.io:cryptography:0.2:*:*:*:*:python:*:*
cpe:2.3:a:cryptography.io:cryptography:0.2:*:*:*:*:python:*:*
cpe:2.3:a:cryptography.io:cryptography:0.2.1:*:*:*:*:python:*:*
cpe:2.3:a:cryptography.io:cryptography:0.2.1:*:*:*:*:python:*:*
cpe:2.3:a:cryptography.io:cryptography:0.2.2:*:*:*:*:python:*:*
cpe:2.3:a:cryptography.io:cryptography:0.2.2:*:*:*:*:python:*:*
cpe:2.3:a:cryptography.io:cryptography:0.3:*:*:*:*:python:*:*
cpe:2.3:a:cryptography.io:cryptography:0.3:*:*:*:*:python:*:*
cpe:2.3:a:cryptography.io:cryptography:0.4:*:*:*:*:python:*:*
cpe:2.3:a:cryptography.io:cryptography:0.4:*:*:*:*:python:*:*
cpe:2.3:a:cryptography.io:cryptography:0.5:*:*:*:*:python:*:*
cpe:2.3:a:cryptography.io:cryptography:0.5:*:*:*:*:python:*:*
cpe:2.3:a:cryptography.io:cryptography:0.5.1:*:*:*:*:python:*:*
cpe:2.3:a:cryptography.io:cryptography:0.5.1:*:*:*:*:python:*:*
cpe:2.3:a:cryptography.io:cryptography:0.5.2:*:*:*:*:python:*:*
cpe:2.3:a:cryptography.io:cryptography:0.5.2:*:*:*:*:python:*:*
cpe:2.3:a:cryptography.io:cryptography:0.5.3:*:*:*:*:python:*:*
cpe:2.3:a:cryptography.io:cryptography:0.5.3:*:*:*:*:python:*:*
cpe:2.3:a:cryptography.io:cryptography:0.5.4:*:*:*:*:python:*:*
cpe:2.3:a:cryptography.io:cryptography:0.5.4:*:*:*:*:python:*:*
cpe:2.3:a:cryptography.io:cryptography:0.6:*:*:*:*:python:*:*
cpe:2.3:a:cryptography.io:cryptography:0.6:*:*:*:*:python:*:*
cpe:2.3:a:cryptography.io:cryptography:0.6.1:*:*:*:*:python:*:*
cpe:2.3:a:cryptography.io:cryptography:0.6.1:*:*:*:*:python:*:*
cpe:2.3:a:cryptography.io:cryptography:0.7:*:*:*:*:python:*:*
cpe:2.3:a:cryptography.io:cryptography:0.7:*:*:*:*:python:*:*
cpe:2.3:a:cryptography.io:cryptography:0.7.1:*:*:*:*:python:*:*
cpe:2.3:a:cryptography.io:cryptography:0.7.1:*:*:*:*:python:*:*
cpe:2.3:a:cryptography.io:cryptography:0.7.2:*:*:*:*:python:*:*
cpe:2.3:a:cryptography.io:cryptography:0.7.2:*:*:*:*:python:*:*
cpe:2.3:a:cryptography.io:cryptography:0.8:*:*:*:*:python:*:*
cpe:2.3:a:cryptography.io:cryptography:0.8:*:*:*:*:python:*:*
cpe:2.3:a:cryptography.io:cryptography:0.8.1:*:*:*:*:python:*:*
cpe:2.3:a:cryptography.io:cryptography:0.8.1:*:*:*:*:python:*:*
cpe:2.3:a:cryptography.io:cryptography:0.8.2:*:*:*:*:python:*:*
cpe:2.3:a:cryptography.io:cryptography:0.8.2:*:*:*:*:python:*:*
cpe:2.3:a:cryptography.io:cryptography:0.9:*:*:*:*:python:*:*
cpe:2.3:a:cryptography.io:cryptography:0.9:*:*:*:*:python:*:*
cpe:2.3:a:cryptography.io:cryptography:0.9.1:*:*:*:*:python:*:*
cpe:2.3:a:cryptography.io:cryptography:0.9.1:*:*:*:*:python:*:*
cpe:2.3:a:cryptography.io:cryptography:0.9.2:*:*:*:*:python:*:*
cpe:2.3:a:cryptography.io:cryptography:0.9.2:*:*:*:*:python:*:*
cpe:2.3:a:cryptography.io:cryptography:0.9.3:*:*:*:*:python:*:*
cpe:2.3:a:cryptography.io:cryptography:0.9.3:*:*:*:*:python:*:*
cpe:2.3:a:cryptography.io:cryptography:1.0:*:*:*:*:python:*:*
cpe:2.3:a:cryptography.io:cryptography:1.0:*:*:*:*:python:*:*
cpe:2.3:a:cryptography.io:cryptography:1.0.1:*:*:*:*:python:*:*
cpe:2.3:a:cryptography.io:cryptography:1.0.1:*:*:*:*:python:*:*
cpe:2.3:a:cryptography.io:cryptography:1.0.2:*:*:*:*:python:*:*
cpe:2.3:a:cryptography.io:cryptography:1.0.2:*:*:*:*:python:*:*
cpe:2.3:a:cryptography.io:cryptography:1.1:*:*:*:*:python:*:*
cpe:2.3:a:cryptography.io:cryptography:1.1:*:*:*:*:python:*:*
cpe:2.3:a:cryptography.io:cryptography:1.1.1:*:*:*:*:python:*:*
cpe:2.3:a:cryptography.io:cryptography:1.1.1:*:*:*:*:python:*:*
cpe:2.3:a:cryptography.io:cryptography:1.1.2:*:*:*:*:python:*:*
cpe:2.3:a:cryptography.io:cryptography:1.1.2:*:*:*:*:python:*:*
cpe:2.3:a:cryptography.io:cryptography:1.2:*:*:*:*:python:*:*
cpe:2.3:a:cryptography.io:cryptography:1.2:*:*:*:*:python:*:*
cpe:2.3:a:cryptography.io:cryptography:1.2.1:*:*:*:*:python:*:*
cpe:2.3:a:cryptography.io:cryptography:1.2.1:*:*:*:*:python:*:*
cpe:2.3:a:cryptography.io:cryptography:1.2.2:*:*:*:*:python:*:*
cpe:2.3:a:cryptography.io:cryptography:1.2.2:*:*:*:*:python:*:*
cpe:2.3:a:cryptography.io:cryptography:1.2.3:*:*:*:*:python:*:*
cpe:2.3:a:cryptography.io:cryptography:1.2.3:*:*:*:*:python:*:*
cpe:2.3:a:cryptography.io:cryptography:1.3:*:*:*:*:python:*:*
cpe:2.3:a:cryptography.io:cryptography:1.3:*:*:*:*:python:*:*
cpe:2.3:a:cryptography.io:cryptography:1.3.1:*:*:*:*:python:*:*
cpe:2.3:a:cryptography.io:cryptography:1.3.1:*:*:*:*:python:*:*
cpe:2.3:a:cryptography.io:cryptography:1.3.2:*:*:*:*:python:*:*
cpe:2.3:a:cryptography.io:cryptography:1.3.2:*:*:*:*:python:*:*
cpe:2.3:a:cryptography.io:cryptography:1.3.3:*:*:*:*:python:*:*
cpe:2.3:a:cryptography.io:cryptography:1.3.3:*:*:*:*:python:*:*
cpe:2.3:a:cryptography.io:cryptography:1.3.4:*:*:*:*:python:*:*
cpe:2.3:a:cryptography.io:cryptography:1.3.4:*:*:*:*:python:*:*
cpe:2.3:a:cryptography.io:cryptography:1.4:*:*:*:*:python:*:*
cpe:2.3:a:cryptography.io:cryptography:1.4:*:*:*:*:python:*:*
cpe:2.3:a:cryptography.io:cryptography:1.5:*:*:*:*:python:*:*
cpe:2.3:a:cryptography.io:cryptography:1.5:*:*:*:*:python:*:*
cpe:2.3:a:cryptography.io:cryptography:1.5.1:*:*:*:*:python:*:*
cpe:2.3:a:cryptography.io:cryptography:1.5.1:*:*:*:*:python:*:*
cpe:2.3:a:cryptography.io:cryptography:1.5.2:*:*:*:*:python:*:*
cpe:2.3:a:cryptography.io:cryptography:1.5.2:*:*:*:*:python:*:*
cpe:2.3:a:cryptography.io:cryptography:1.5.3:*:*:*:*:python:*:*
cpe:2.3:a:cryptography.io:cryptography:1.5.3:*:*:*:*:python:*:*
cpe:2.3:a:cryptography.io:cryptography:1.6:*:*:*:*:python:*:*
cpe:2.3:a:cryptography.io:cryptography:1.6:*:*:*:*:python:*:*
cpe:2.3:a:cryptography.io:cryptography:1.7:*:*:*:*:python:*:*
cpe:2.3:a:cryptography.io:cryptography:1.7:*:*:*:*:python:*:*
cpe:2.3:a:cryptography.io:cryptography:1.7.1:*:*:*:*:python:*:*
cpe:2.3:a:cryptography.io:cryptography:1.7.1:*:*:*:*:python:*:*
cpe:2.3:a:cryptography.io:cryptography:1.7.2:*:*:*:*:python:*:*
cpe:2.3:a:cryptography.io:cryptography:1.7.2:*:*:*:*:python:*:*
cpe:2.3:a:cryptography.io:cryptography:1.8:*:*:*:*:python:*:*
cpe:2.3:a:cryptography.io:cryptography:1.8:*:*:*:*:python:*:*
cpe:2.3:a:cryptography.io:cryptography:1.8.1:*:*:*:*:python:*:*
cpe:2.3:a:cryptography.io:cryptography:1.8.1:*:*:*:*:python:*:*
cpe:2.3:a:cryptography.io:cryptography:1.8.2:*:*:*:*:python:*:*
cpe:2.3:a:cryptography.io:cryptography:1.8.2:*:*:*:*:python:*:*
cpe:2.3:a:cryptography.io:cryptography:1.9:*:*:*:*:python:*:*
cpe:2.3:a:cryptography.io:cryptography:1.9:*:*:*:*:python:*:*
cpe:2.3:a:cryptography.io:cryptography:2.0:*:*:*:*:python:*:*
cpe:2.3:a:cryptography.io:cryptography:2.0:*:*:*:*:python:*:*
cpe:2.3:a:cryptography.io:cryptography:2.0.1:*:*:*:*:python:*:*
cpe:2.3:a:cryptography.io:cryptography:2.0.1:*:*:*:*:python:*:*
cpe:2.3:a:cryptography.io:cryptography:2.0.2:*:*:*:*:python:*:*
cpe:2.3:a:cryptography.io:cryptography:2.0.2:*:*:*:*:python:*:*
cpe:2.3:a:cryptography.io:cryptography:2.0.3:*:*:*:*:python:*:*
cpe:2.3:a:cryptography.io:cryptography:2.0.3:*:*:*:*:python:*:*
cpe:2.3:a:cryptography.io:cryptography:2.1:*:*:*:*:python:*:*
cpe:2.3:a:cryptography.io:cryptography:2.1:*:*:*:*:python:*:*
cpe:2.3:a:cryptography.io:cryptography:2.1.1:*:*:*:*:python:*:*
cpe:2.3:a:cryptography.io:cryptography:2.1.1:*:*:*:*:python:*:*
cpe:2.3:a:cryptography.io:cryptography:2.1.2:*:*:*:*:python:*:*
cpe:2.3:a:cryptography.io:cryptography:2.1.2:*:*:*:*:python:*:*
cpe:2.3:a:cryptography.io:cryptography:2.1.3:*:*:*:*:python:*:*
cpe:2.3:a:cryptography.io:cryptography:2.1.3:*:*:*:*:python:*:*
cpe:2.3:a:cryptography.io:cryptography:2.1.4:*:*:*:*:python:*:*
cpe:2.3:a:cryptography.io:cryptography:2.1.4:*:*:*:*:python:*:*
cpe:2.3:a:cryptography.io:cryptography:2.2:*:*:*:*:python:*:*
cpe:2.3:a:cryptography.io:cryptography:2.2:*:*:*:*:python:*:*
cpe:2.3:a:cryptography.io:cryptography:2.2.1:*:*:*:*:python:*:*
cpe:2.3:a:cryptography.io:cryptography:2.2.1:*:*:*:*:python:*:*
cpe:2.3:a:cryptography.io:cryptography:2.2.2:*:*:*:*:python:*:*
cpe:2.3:a:cryptography.io:cryptography:2.2.2:*:*:*:*:python:*:*
cpe:2.3:a:cryptography.io:cryptography:2.3:*:*:*:*:python:*:*
cpe:2.3:a:cryptography.io:cryptography:2.3:*:*:*:*:python:*:*
cpe:2.3:a:cryptography.io:cryptography:2.3.1:*:*:*:*:python:*:*
cpe:2.3:a:cryptography.io:cryptography:2.3.1:*:*:*:*:python:*:*
cpe:2.3:a:cryptography.io:cryptography:2.4:*:*:*:*:python:*:*
cpe:2.3:a:cryptography.io:cryptography:2.4:*:*:*:*:python:*:*
cpe:2.3:a:cryptography.io:cryptography:2.4.1:*:*:*:*:python:*:*
cpe:2.3:a:cryptography.io:cryptography:2.4.1:*:*:*:*:python:*:*
cpe:2.3:a:cryptography.io:cryptography:2.4.2:*:*:*:*:python:*:*
cpe:2.3:a:cryptography.io:cryptography:2.4.2:*:*:*:*:python:*:*
cpe:2.3:a:cryptography.io:cryptography:2.5:*:*:*:*:python:*:*
cpe:2.3:a:cryptography.io:cryptography:2.5:*:*:*:*:python:*:*
cpe:2.3:a:cryptography.io:cryptography:2.6:*:*:*:*:python:*:*
cpe:2.3:a:cryptography.io:cryptography:2.6:*:*:*:*:python:*:*
cpe:2.3:a:cryptography.io:cryptography:2.6.1:*:*:*:*:python:*:*
cpe:2.3:a:cryptography.io:cryptography:2.6.1:*:*:*:*:python:*:*
cpe:2.3:a:cryptography.io:cryptography:2.7:*:*:*:*:python:*:*
cpe:2.3:a:cryptography.io:cryptography:2.7:*:*:*:*:python:*:*
cpe:2.3:a:cryptography.io:cryptography:2.8:*:*:*:*:python:*:*
cpe:2.3:a:cryptography.io:cryptography:2.8:*:*:*:*:python:*:*
cpe:2.3:a:cryptography.io:cryptography:2.9:*:*:*:*:python:*:*
cpe:2.3:a:cryptography.io:cryptography:2.9:*:*:*:*:python:*:*
cpe:2.3:a:cryptography.io:cryptography:2.9.1:*:*:*:*:python:*:*
cpe:2.3:a:cryptography.io:cryptography:2.9.1:*:*:*:*:python:*:*
cpe:2.3:a:cryptography.io:cryptography:2.9.2:*:*:*:*:python:*:*
cpe:2.3:a:cryptography.io:cryptography:2.9.2:*:*:*:*:python:*:*
cpe:2.3:a:cryptography.io:cryptography:3.0:*:*:*:*:python:*:*
cpe:2.3:a:cryptography.io:cryptography:3.0:*:*:*:*:python:*:*
cpe:2.3:a:cryptography.io:cryptography:3.1:*:*:*:*:python:*:*
cpe:2.3:a:cryptography.io:cryptography:3.1:*:*:*:*:python:*:*
cpe:2.3:a:cryptography.io:cryptography:3.1.1:*:*:*:*:python:*:*
cpe:2.3:a:cryptography.io:cryptography:3.1.1:*:*:*:*:python:*:*
cpe:2.3:a:cryptography.io:cryptography:3.2:*:*:*:*:python:*:*
cpe:2.3:a:cryptography.io:cryptography:3.2:*:*:*:*:python:*:*
cpe:2.3:a:cryptography.io:cryptography:3.2.1:*:*:*:*:python:*:*
cpe:2.3:a:cryptography.io:cryptography:3.2.1:*:*:*:*:python:*:*
cpe:2.3:a:cryptography.io:cryptography:3.3:*:*:*:*:python:*:*
cpe:2.3:a:cryptography.io:cryptography:3.3:*:*:*:*:python:*:*
cpe:2.3:a:cryptography.io:cryptography:3.3.1:*:*:*:*:python:*:*
cpe:2.3:a:cryptography.io:cryptography:3.3.1:*:*:*:*:python:*:*
cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_cloud_native_core_network_function_cloud_native_environment:1.10.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_cloud_native_core_network_function_cloud_native_environment:1.10.0:*:*:*:*:*:*:*

CVSS

Base:	6.4 (as of 05-09-2024 - 16:09)
Impact:
Exploitability:

CWE

CWE-190

CAPEC

Forced Integer Overflow
This attack forces an integer variable to go out of range. The integer variable is often used as an offset such as size of memory allocation or similarly. The attacker would typically control the value of such variable and try to get it out of range. For instance the integer in question is incremented past the maximum possible value, it may wrap to become a very small, or negative number, therefore providing a very incorrect value which can lead to unexpected behavior. At worst the attacker can execute arbitrary code.

Access

Vector	Complexity	Authentication
NETWORK	LOW	NONE

Impact

Confidentiality	Integrity	Availability
PARTIAL	NONE	PARTIAL

cvss-vector via4

AV:N/AC:L/Au:N/C:P/I:N/A:P

Last major update

05-09-2024 - 16:09

Published

07-02-2021 - 20:15

Last modified

05-09-2024 - 16:09