GHSA-6vqw-3v5j-54x4

Source

https://github.com/advisories/GHSA-6vqw-3v5j-54x4

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/02/GHSA-6vqw-3v5j-54x4/GHSA-6vqw-3v5j-54x4.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-6vqw-3v5j-54x4

Aliases

Related

Published

2024-02-21T18:04:40Z

Modified

2024-10-22T05:29:00.721756Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator

Summary

cryptography NULL pointer dereference with pkcs12.serialize_key_and_certificates when called with a non-matching certificate and private key and an hmac_hash override

Details

If pkcs12.serialize_key_and_certificates is called with both:

A certificate whose public key did not match the provided private key
An encryption_algorithm with hmac_hash set (via PrivateFormat.PKCS12.encryption_builder().hmac_hash(...)

Then a NULL pointer dereference would occur, crashing the Python process.

This has been resolved, and now a ValueError is properly raised.

Patched in https://github.com/pyca/cryptography/pull/10423

Database specific

{
    "nvd_published_at": "2024-02-21T17:15:09Z",
    "cwe_ids": [
        "CWE-476"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2024-02-21T18:04:40Z"
}

References

Affected packages

PyPI / cryptography

Package

Name: cryptography; View open source insights on deps.dev
Purl: pkg:pypi/cryptography

Affected ranges

Type: ECOSYSTEM
Events: Introduced

38.0.0

Fixed

42.0.4

Affected versions

38.*

38.0.0

38.0.1

38.0.2

38.0.3

38.0.4

39.*

39.0.0

39.0.1

39.0.2

40.*

40.0.0

40.0.1

40.0.2

41.*

41.0.0

41.0.1

41.0.2

41.0.3

41.0.4

41.0.5

41.0.6

41.0.7

42.*

42.0.0

42.0.1

42.0.2

42.0.3