Fluid Attacks Database

Description

CPython 3.9 and earlier doesn't disallow configuring an empty list ("[]") for SSLContext.set_npn_protocols() which is an invalid value for the underlying OpenSSL API. This results in a buffer over-read when NPN is used (see CVE-2024-5535 for OpenSSL). This vulnerability is of low severity due to NPN being not widely used and specifying an empty list likely being uncommon in-practice (typically a protocol name would be configured).

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 11	pypy3	=7.3.10+dfsg-1 \|\| =7.3.10~rc3+dfsg-1 \|\| =7.3.10~rc3+dfsg-2 \|\| =7.3.11+dfsg-1 \|\| =7.3.11+dfsg-2 \|\| =7.3.12+dfsg-1 \|\| =7.3.12~rc1+dfsg-1 \|\| =7.3.12~rc2+dfsg-1 \|\| =7.3.13+dfsg-1 \|\| =7.3.14+dfsg-1 \|\| =7.3.15+dfsg-1 \|\| =7.3.16+dfsg-1 \|\| =7.3.16+dfsg-2 \|\| =7.3.17+dfsg-1 \|\| =7.3.17+dfsg-2 \|\| =7.3.17+dfsg-3 \|\| =7.3.18+dfsg-1 \|\| =7.3.18+dfsg-2 \|\| =7.3.19+dfsg-1 \|\| =7.3.19+dfsg-2 \|\| =7.3.20+dfsg-1 \|\| =7.3.20+dfsg-2 \|\| =7.3.20+dfsg-3 \|\| =7.3.20+dfsg-4 \|\| =7.3.21+dfsg-1 \|\| =7.3.21+dfsg-2 \|\| =7.3.21+dfsg-3 \|\| =7.3.21+dfsg-4 \|\| =7.3.5+dfsg-2 \|\| =7.3.5+dfsg-2+deb11u1 \|\| =7.3.5+dfsg-2+deb11u2 \|\| =7.3.5+dfsg-2+deb11u3 \|\| =7.3.5+dfsg-2+deb11u4 \|\| =7.3.5+dfsg-2+deb11u5 \|\| =7.3.6+dfsg-1 \|\| =7.3.6~rc2+dfsg-1 \|\| =7.3.6~rc2+dfsg-2 \|\| =7.3.7+dfsg-1 \|\| =7.3.7+dfsg-2 \|\| =7.3.7+dfsg-3 \|\| =7.3.7+dfsg-4 \|\| =7.3.7+dfsg-5 \|\| =7.3.8+dfsg-1 \|\| =7.3.8+dfsg-2 \|\| =7.3.8~rc1+dfsg-1 \|\| =7.3.8~rc1+dfsg-2 \|\| =7.3.9+dfsg-1 \|\| =7.3.9+dfsg-2 \|\| =7.3.9+dfsg-3 \|\| =7.3.9+dfsg-4 \|\| =7.3.9+dfsg-5	-
debian 12	pypy3	>=0 <7.3.10+dfsg-1	7.3.10+dfsg-1
debian 13	pypy3	>=0 <7.3.10+dfsg-1	7.3.10+dfsg-1
debian 14	pypy3	>=0 <7.3.10+dfsg-1	7.3.10+dfsg-1
debian 11	python2.7	=2.7.18-10 \|\| =2.7.18-11 \|\| =2.7.18-12 \|\| =2.7.18-13 \|\| =2.7.18-13.1 \|\| =2.7.18-13.1~exp1 \|\| =2.7.18-13.2 \|\| =2.7.18-8 \|\| =2.7.18-8+deb11u1 \|\| =2.7.18-9	-
debian 11	python3.9	=3.9.10-1 \|\| =3.9.10-2 \|\| =3.9.11-1 \|\| =3.9.12-1 \|\| =3.9.13-1 \|\| =3.9.2-1 \|\| =3.9.2-1+deb11u1 \|\| =3.9.2-1+deb11u2 \|\| =3.9.2-1+deb11u3 \|\| =3.9.2-1+deb11u4 \|\| =3.9.2-1+deb11u5 \|\| =3.9.2-1+deb11u6 \|\| =3.9.3-1 \|\| =3.9.3-2 \|\| =3.9.4-1 \|\| =3.9.5-1 \|\| =3.9.5-2 \|\| =3.9.5-3 \|\| =3.9.6-1 \|\| =3.9.7-1 \|\| =3.9.7-2 \|\| =3.9.7-4 \|\| =3.9.8-1 \|\| =3.9.8-2 \|\| =3.9.9-1 \|\| =3.9.9-2 \|\| =3.9.9-3 \|\| =3.9.9-4	-
rpm rhel8	python39-devel	<0:3.9.25-2.module+el8.10.0+23718+1842ae33	0:3.9.25-2.module+el8.10.0+23718+1842ae33
rpm rhel8	python2	-	-
rpm rhel7	python	-	-
rpm rhel8	python39	<0:3.9.25-2.module+el8.10.0+23718+1842ae33	0:3.9.25-2.module+el8.10.0+23718+1842ae33

1-10 of 13

Aliases

1. CVE-2024-56422. NVD-2024-56423. OSV-DEBIAN-2024-56424. OSV-2024-56425. SECURITY-TRACKER-CVE-2024-5642

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.