All the vulnerabilites related to pyca - cryptography
cve-2023-23931
Vulnerability from cvelistv5
Published
2023-02-07 20:54
Modified
2024-08-02 10:42
Severity ?
EPSS score ?
Summary
Cipher.update_into can corrupt memory in pyca cryptography
References
▼ | URL | Tags |
---|---|---|
https://github.com/pyca/cryptography/security/advisories/GHSA-w7pp-m8wf-vj6r | x_refsource_CONFIRM | |
https://github.com/pyca/cryptography/pull/8230/commits/94a50a9731f35405f0357fa5f3b177d46a726ab3 | x_refsource_MISC |
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | pyca | cryptography |
Version: >=1.8, < 39.0.1 |
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-02T10:42:27.102Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "url": "https://security.netapp.com/advisory/ntap-20230324-0007/" }, { "name": "https://github.com/pyca/cryptography/security/advisories/GHSA-w7pp-m8wf-vj6r", "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://github.com/pyca/cryptography/security/advisories/GHSA-w7pp-m8wf-vj6r" }, { "name": "https://github.com/pyca/cryptography/pull/8230/commits/94a50a9731f35405f0357fa5f3b177d46a726ab3", "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/pyca/cryptography/pull/8230/commits/94a50a9731f35405f0357fa5f3b177d46a726ab3" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "cryptography", "vendor": "pyca", "versions": [ { "status": "affected", "version": "\u003e=1.8, \u003c 39.0.1" } ] } ], "descriptions": [ { "lang": "en", "value": "cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. In affected versions `Cipher.update_into` would accept Python objects which implement the buffer protocol, but provide only immutable buffers. This would allow immutable objects (such as `bytes`) to be mutated, thus violating fundamental rules of Python and resulting in corrupted output. This now correctly raises an exception. This issue has been present since `update_into` was originally introduced in cryptography 1.8." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-754", "description": "CWE-754: Improper Check for Unusual or Exceptional Conditions", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2023-02-07T20:54:03.628Z", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M" }, "references": [ { "name": "https://github.com/pyca/cryptography/security/advisories/GHSA-w7pp-m8wf-vj6r", "tags": [ "x_refsource_CONFIRM" ], "url": "https://github.com/pyca/cryptography/security/advisories/GHSA-w7pp-m8wf-vj6r" }, { "name": "https://github.com/pyca/cryptography/pull/8230/commits/94a50a9731f35405f0357fa5f3b177d46a726ab3", "tags": [ "x_refsource_MISC" ], "url": "https://github.com/pyca/cryptography/pull/8230/commits/94a50a9731f35405f0357fa5f3b177d46a726ab3" } ], "source": { "advisory": "GHSA-w7pp-m8wf-vj6r", "discovery": "UNKNOWN" }, "title": "Cipher.update_into can corrupt memory in pyca cryptography" } }, "cveMetadata": { "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2023-23931", "datePublished": "2023-02-07T20:54:03.628Z", "dateReserved": "2023-01-19T21:12:31.360Z", "dateUpdated": "2024-08-02T10:42:27.102Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2024-26130
Vulnerability from cvelistv5
Published
2024-02-21 16:28
Modified
2024-08-14 20:01
Severity ?
EPSS score ?
Summary
cryptography NULL pointer deference with pkcs12.serialize_key_and_certificates when called with a non-matching certificate and private key and an hmac_hash override
References
▼ | URL | Tags |
---|---|---|
https://github.com/pyca/cryptography/security/advisories/GHSA-6vqw-3v5j-54x4 | x_refsource_CONFIRM | |
https://github.com/pyca/cryptography/pull/10423 | x_refsource_MISC | |
https://github.com/pyca/cryptography/commit/97d231672763cdb5959a3b191e692a362f1b9e55 | x_refsource_MISC |
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | pyca | cryptography |
Version: >= 38.0.0, < 42.0.4 |
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-01T23:59:32.542Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "name": "https://github.com/pyca/cryptography/security/advisories/GHSA-6vqw-3v5j-54x4", "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://github.com/pyca/cryptography/security/advisories/GHSA-6vqw-3v5j-54x4" }, { "name": "https://github.com/pyca/cryptography/pull/10423", "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/pyca/cryptography/pull/10423" }, { "name": "https://github.com/pyca/cryptography/commit/97d231672763cdb5959a3b191e692a362f1b9e55", "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/pyca/cryptography/commit/97d231672763cdb5959a3b191e692a362f1b9e55" } ], "title": "CVE Program Container" }, { "affected": [ { "cpes": [ "cpe:2.3:a:cryptography_project:cryptography:*:*:*:*:*:python:*:*" ], "defaultStatus": "unknown", "product": "cryptography", "vendor": "cryptography_project", "versions": [ { "lessThan": "42.04", "status": "affected", "version": "38.0.0", "versionType": "custom" } ] } ], "metrics": [ { "other": { "content": { "id": "CVE-2024-26130", "options": [ { "Exploitation": "none" }, { "Automatable": "yes" }, { "Technical Impact": "partial" } ], "role": "CISA Coordinator", "timestamp": "2024-08-14T19:56:07.150963Z", "version": "2.0.3" }, "type": "ssvc" } } ], "providerMetadata": { "dateUpdated": "2024-08-14T20:01:52.628Z", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP" }, "title": "CISA ADP Vulnrichment" } ], "cna": { "affected": [ { "product": "cryptography", "vendor": "pyca", "versions": [ { "status": "affected", "version": "\u003e= 38.0.0, \u003c 42.0.4" } ] } ], "descriptions": [ { "lang": "en", "value": "cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Starting in version 38.0.0 and prior to version 42.0.4, if `pkcs12.serialize_key_and_certificates` is called with both a certificate whose public key did not match the provided private key and an `encryption_algorithm` with `hmac_hash` set (via `PrivateFormat.PKCS12.encryption_builder().hmac_hash(...)`, then a NULL pointer dereference would occur, crashing the Python process. This has been resolved in version 42.0.4, the first version in which a `ValueError` is properly raised." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-476", "description": "CWE-476: NULL Pointer Dereference", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2024-02-21T16:28:18.632Z", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M" }, "references": [ { "name": "https://github.com/pyca/cryptography/security/advisories/GHSA-6vqw-3v5j-54x4", "tags": [ "x_refsource_CONFIRM" ], "url": "https://github.com/pyca/cryptography/security/advisories/GHSA-6vqw-3v5j-54x4" }, { "name": "https://github.com/pyca/cryptography/pull/10423", "tags": [ "x_refsource_MISC" ], "url": "https://github.com/pyca/cryptography/pull/10423" }, { "name": "https://github.com/pyca/cryptography/commit/97d231672763cdb5959a3b191e692a362f1b9e55", "tags": [ "x_refsource_MISC" ], "url": "https://github.com/pyca/cryptography/commit/97d231672763cdb5959a3b191e692a362f1b9e55" } ], "source": { "advisory": "GHSA-6vqw-3v5j-54x4", "discovery": "UNKNOWN" }, "title": "cryptography NULL pointer deference with pkcs12.serialize_key_and_certificates when called with a non-matching certificate and private key and an hmac_hash override" } }, "cveMetadata": { "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2024-26130", "datePublished": "2024-02-21T16:28:18.632Z", "dateReserved": "2024-02-14T17:40:03.687Z", "dateUpdated": "2024-08-14T20:01:52.628Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2023-49083
Vulnerability from cvelistv5
Published
2023-11-29 18:50
Modified
2024-08-02 21:46
Severity ?
EPSS score ?
Summary
cryptography vulnerable to NULL-dereference when loading PKCS7 certificates
References
Impacted products
Vendor | Product | Version | |
---|---|---|---|
▼ | pyca | cryptography |
Version: >= 3.1, < 41.0.6 |
|
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-02T21:46:29.207Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "name": "https://github.com/pyca/cryptography/security/advisories/GHSA-jfhm-5ghh-2f97", "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://github.com/pyca/cryptography/security/advisories/GHSA-jfhm-5ghh-2f97" }, { "name": "https://github.com/pyca/cryptography/pull/9926", "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/pyca/cryptography/pull/9926" }, { "name": "https://github.com/pyca/cryptography/commit/f09c261ca10a31fe41b1262306db7f8f1da0e48a", "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/pyca/cryptography/commit/f09c261ca10a31fe41b1262306db7f8f1da0e48a" }, { "tags": [ "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QMNTYMUGFJSDBYBU22FUYBHFRZODRKXV/" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "cryptography", "vendor": "pyca", "versions": [ { "status": "affected", "version": "\u003e= 3.1, \u003c 41.0.6" } ] } ], "descriptions": [ { "lang": "en", "value": "cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Calling `load_pem_pkcs7_certificates` or `load_der_pkcs7_certificates` could lead to a NULL-pointer dereference and segfault. Exploitation of this vulnerability poses a serious risk of Denial of Service (DoS) for any application attempting to deserialize a PKCS7 blob/certificate. The consequences extend to potential disruptions in system availability and stability. This vulnerability has been patched in version 41.0.6." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-476", "description": "CWE-476: NULL Pointer Dereference", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2023-12-05T01:28:16.238Z", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M" }, "references": [ { "name": "https://github.com/pyca/cryptography/security/advisories/GHSA-jfhm-5ghh-2f97", "tags": [ "x_refsource_CONFIRM" ], "url": "https://github.com/pyca/cryptography/security/advisories/GHSA-jfhm-5ghh-2f97" }, { "name": "https://github.com/pyca/cryptography/pull/9926", "tags": [ "x_refsource_MISC" ], "url": "https://github.com/pyca/cryptography/pull/9926" }, { "name": "https://github.com/pyca/cryptography/commit/f09c261ca10a31fe41b1262306db7f8f1da0e48a", "tags": [ "x_refsource_MISC" ], "url": "https://github.com/pyca/cryptography/commit/f09c261ca10a31fe41b1262306db7f8f1da0e48a" }, { "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QMNTYMUGFJSDBYBU22FUYBHFRZODRKXV/" } ], "source": { "advisory": "GHSA-jfhm-5ghh-2f97", "discovery": "UNKNOWN" }, "title": "cryptography vulnerable to NULL-dereference when loading PKCS7 certificates" } }, "cveMetadata": { "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2023-49083", "datePublished": "2023-11-29T18:50:24.263Z", "dateReserved": "2023-11-21T18:57:30.428Z", "dateUpdated": "2024-08-02T21:46:29.207Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }