CVE-2024-26130 – cryptography

Package

Manager: pip
Name: cryptography
Vulnerable Version: >=38.0.0 <42.0.4

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00341 pctl0.56098

Details

cryptography NULL pointer dereference with pkcs12.serialize_key_and_certificates when called with a non-matching certificate and private key and an hmac_hash override If `pkcs12.serialize_key_and_certificates` is called with both: 1. A certificate whose public key did not match the provided private key 2. An `encryption_algorithm` with `hmac_hash` set (via `PrivateFormat.PKCS12.encryption_builder().hmac_hash(...)` Then a NULL pointer dereference would occur, crashing the Python process. This has been resolved, and now a `ValueError` is properly raised. Patched in https://github.com/pyca/cryptography/pull/10423

Metadata

Created: 2024-02-21T18:04:40Z
Modified: 2025-02-06T18:07:25Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/02/GHSA-6vqw-3v5j-54x4/GHSA-6vqw-3v5j-54x4.json
CWE IDs: ["CWE-476"]
Alternative ID: GHSA-6vqw-3v5j-54x4
Finding: F002
Auto approve: 1