CVE-2020-36242

Name
CVE-2020-36242
Description
In the cryptography package before 3.3.2 for Python, certain sequences of update calls to symmetrically encrypt multi-GB values could result in an integer overflow and buffer overflow, as demonstrated by the Fernet class.
NVD Severity
high
Other trackers
Mailing lists
Exploits
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
Exploit https://github.com/pyca/cryptography/issues/5615
Release Notes https://github.com/pyca/cryptography/blob/master/CHANGELOG.rst
Patch https://github.com/pyca/cryptography/compare/3.3.1...3.3.2
Mailing List https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L7RGQLK4J5ZQFRLKCHVVG6BKZTUQMG7E/
MISC https://www.oracle.com/security-alerts/cpuapr2022.html

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:cryptography_project:cryptography:*:*:*:*:*:python:*:* py3-cryptography >= None < 3.3.2

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
py3-cryptography 3.12-main 2.9.2-r0 August Klein <amatcoder@gmail.com> possibly vulnerable
py3-cryptography 3.11-main 2.8-r1 August Klein <amatcoder@gmail.com> possibly vulnerable
py3-cryptography 3.13-main 3.3.2-r0 August Klein <amatcoder@gmail.com> fixed