HIGH 7.5

PYSEC-2023-254

상세

cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Calling `load_pem_pkcs7_certificates` or `load_der_pkcs7_certificates` could lead to a NULL-pointer dereference and segfault. Exploitation of this vulnerability poses a serious risk of Denial of Service (DoS) for any application attempting to deserialize a PKCS7 blob/certificate. The consequences extend to potential disruptions in system availability and stability. This vulnerability has been patched in version 41.0.6.

이 버전이 영향받나요?

사용 중인 패키지 버전을 입력하면 즉시 평가합니다.

영향 패키지

PyPI / cryptography

최초 영향 버전: 0 수정 버전: f09c261ca10a31fe41b1262306db7f8f1da0e48a

수정 pip install --upgrade 'cryptography>=f09c261ca10a31fe41b1262306db7f8f1da0e48a'

참고

https://github.com/pyca/cryptography/security/advisories/GHSA-jfhm-5ghh-2f97 [ADVISORY]
https://github.com/pyca/cryptography/pull/9926 [FIX]
https://github.com/pyca/cryptography/commit/f09c261ca10a31fe41b1262306db7f8f1da0e48a [FIX]
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QMNTYMUGFJSDBYBU22FUYBHFRZODRKXV/ [WEB]