CVE-2023-49083

2023-11-2919:15:07

CWE-476

[email protected]

web.nvd.nist.gov

cryptography

package

vulnerability

dos

null-pointer dereference

pkcs7

certificate

python

nvd

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

7.4 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

25.1%

JSON

cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Calling load_pem_pkcs7_certificates or load_der_pkcs7_certificates could lead to a NULL-pointer dereference and segfault. Exploitation of this vulnerability poses a serious risk of Denial of Service (DoS) for any application attempting to deserialize a PKCS7 blob/certificate. The consequences extend to potential disruptions in system availability and stability. This vulnerability has been patched in version 41.0.6.

Affected configurations

Vulners

NVD

Node

pycacryptographyRange3.1–41.0.6

CPENameOperatorVersion
cryptography_project:cryptographycryptography project cryptographylt41.0.6

CPE	Name	Operator	Version
cryptography_project:cryptography	cryptography project cryptography	lt	41.0.6

CNA Affected

[
  {
    "vendor": "pyca",
    "product": "cryptography",
    "versions": [
      {
        "version": ">= 3.1, < 41.0.6",
        "status": "affected"
      }
    ]
  }
]