HIGH 7.5
PYSEC-2023-254
Details
cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Calling `load_pem_pkcs7_certificates` or `load_der_pkcs7_certificates` could lead to a NULL-pointer dereference and segfault. Exploitation of this vulnerability poses a serious risk of Denial of Service (DoS) for any application attempting to deserialize a PKCS7 blob/certificate. The consequences extend to potential disruptions in system availability and stability. This vulnerability has been patched in version 41.0.6.
Are you affected?
Enter the version of the package you're using.
Affected packages
PyPI / cryptography
Introduced in:
0 Fixed in: f09c261ca10a31fe41b1262306db7f8f1da0e48a Fix
pip install --upgrade 'cryptography>=f09c261ca10a31fe41b1262306db7f8f1da0e48a' References
- https://github.com/pyca/cryptography/security/advisories/GHSA-jfhm-5ghh-2f97 [ADVISORY]
- https://github.com/pyca/cryptography/pull/9926 [FIX]
- https://github.com/pyca/cryptography/commit/f09c261ca10a31fe41b1262306db7f8f1da0e48a [FIX]
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QMNTYMUGFJSDBYBU22FUYBHFRZODRKXV/ [WEB]