PYSEC-2021-63

Import Source

https://github.com/pypa/advisory-database/blob/main/vulns/cryptography/PYSEC-2021-63.yaml

Aliases

CVE-2020-36242
GHSA-rhm9-p9w5-fwm7

Published

2021-02-07T20:15:00Z

Modified

2023-11-08T04:03:42.949464Z

Details

In the cryptography package before 3.3.2 for Python, certain sequences of update calls to symmetrically encrypt multi-GB values could result in an integer overflow and buffer overflow, as demonstrated by the Fernet class.

References

https://github.com/pyca/cryptography/issues/5615
https://github.com/pyca/cryptography/blob/master/CHANGELOG.rst
https://github.com/pyca/cryptography/compare/3.3.1...3.3.2
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L7RGQLK4J5ZQFRLKCHVVG6BKZTUQMG7E/
https://github.com/advisories/GHSA-rhm9-p9w5-fwm7

Affected packages

PyPI / cryptography

Package

Name: cryptography

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.1

Fixed

3.3.2

Affected versions

3.*

3.1

3.1.1

3.2

3.2.1

3.3

3.3.1