CVE-2023-49083

Description

cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Calling `load_pem_pkcs7_certificates` or `load_der_pkcs7_certificates` could lead to a NULL-pointer dereference and segfault. Exploitation of this vulnerability poses a serious risk of Denial of Service (DoS) for any application attempting to deserialize a PKCS7 blob/certificate. The consequences extend to potential disruptions in system availability and stability. This vulnerability has been patched in version 41.0.6.

CVSS Metrics

• v3.1•MEDIUM•Score: 5.9CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
• v3.1•HIGH•Score: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Trends

Current EPSS score: 1.26%• Percentile: 80%

Techniques & Countermeasures

• CWE-476•NULL Pointer Dereference

  The product dereferences a pointer that it expects to be valid but is NULL.

Affected Systems

• cryptography.io•cryptography

  ≥ 3.1, < 41.0.6

• pyca•cryptography

  ≥ 3.1, < 41.0.6

• PyPI•cryptography

  < f09c261ca10a31fe41b1262306db7f8f1da0e48a | ≥ 3.1, < 41.0.6

References (10)

• https://github.com/pyca/cryptography/security/advisories/GHSA-jfhm-5ghh-2f97
• https://github.com/pyca/cryptography/pull/9926
• https://github.com/pyca/cryptography/commit/f09c261ca10a31fe41b1262306db7f8f1da0e48a
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QMNTYMUGFJSDBYBU22FUYBHFRZODRKXV/
• https://lists.debian.org/debian-lts-announce/2024/10/msg00012.html
• https://nvd.nist.gov/vuln/detail/CVE-2023-49083
• https://github.com/pyca/cryptography
• https://github.com/pypa/advisory-database/tree/main/vulns/cryptography/PYSEC-2023-254.yaml
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QMNTYMUGFJSDBYBU22FUYBHFRZODRKXV
• http://www.openwall.com/lists/oss-security/2023/11/29/2