Fluid Attacks Database

Description

cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Calling load_pem_pkcs7_certificates or load_der_pkcs7_certificates could lead to a NULL-pointer dereference and segfault. Exploitation of this vulnerability poses a serious risk of Denial of Service (DoS) for any application attempting to deserialize a PKCS7 blob/certificate. The consequences extend to potential disruptions in system availability and stability. This vulnerability has been patched in version 41.0.6.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 11	python-cryptography	=3.3.2-1 \|\| >=0 <3.3.2-1+deb11u1	3.3.2-1+deb11u1
debian 12	python-cryptography	=38.0.4-3 \|\| >=0 <38.0.4-3+deb12u1	38.0.4-3+deb12u1
debian 13	python-cryptography	>=0 <41.0.7-1	41.0.7-1
debian 14	python-cryptography	>=0 <41.0.7-1	41.0.7-1
pypi	cryptography	>=3.1 <41.0.6	41.0.6
rpm rhel7	python-cryptography	-	-
rpm rhel8	python-cryptography	<0:3.2.1-8.el8_10	0:3.2.1-8.el8_10
rpm rhel8.4	python-cryptography	<0:3.2.1-4.el8_4.1	0:3.2.1-4.el8_4.1
rpm rhel9	python-cryptography	<0:36.0.1-5.el9_6	0:36.0.1-5.el9_6
rpm rhel9.4	python-cryptography	<0:36.0.1-4.el9_4.1	0:36.0.1-4.el9_4.1

1-10 of 13

Aliases

1. CVE-2023-490832. NVD-2023-490833. OSV-DEBIAN-2023-490834. OSV-2023-490835. GHSA-jfhm-5ghh-2f976. GCVE-2023-490837. SECURITY-TRACKER-CVE-2023-490838. lists.debian.org

References

1. https://github.com/pyca/cryptography/security/advisories/GHSA-jfhm-5ghh-2f972. https://github.com/pyca/cryptography/pull/99263. https://github.com/pyca/cryptography/commit/f09c261ca10a31fe41b1262306db7f8f1da0e48a4. https://github.com/pypa/advisory-database/tree/main/vulns/cryptography/PYSEC-2023-254.yaml5. https://lists.fedoraproject.org/archives/list/[email protected]/message/QMNTYMUGFJSDBYBU22FUYBHFRZODRKXV6. http://www.openwall.com/lists/oss-security/2023/11/29/2