CVE-2023-49083

Name
CVE-2023-49083
Description
cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Calling `load_pem_pkcs7_certificates` or `load_der_pkcs7_certificates` could lead to a NULL-pointer dereference and segfault. Exploitation of this vulnerability poses a serious risk of Denial of Service (DoS) for any application attempting to deserialize a PKCS7 blob/certificate. The consequences extend to potential disruptions in system availability and stability. This vulnerability has been patched in version 41.0.6.
NVD Severity
unknown
Other trackers
Mailing lists
Exploits
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
https://github.com/pyca/cryptography/security/advisories/GHSA-jfhm-5ghh-2f97
https://github.com/pyca/cryptography/pull/9926
https://github.com/pyca/cryptography/commit/f09c261ca10a31fe41b1262306db7f8f1da0e48a
http://www.openwall.com/lists/oss-security/2023/11/29/2
security-advisories@github.com https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QMNTYMUGFJSDBYBU22FUYBHFRZODRKXV/

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:cryptography_project:cryptography:*:*:*:*:*:python:*:* py3-cryptography >= 3.1 < 41.0.6

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
py3-cryptography 3.18-community 41.0.3-r0 Duncan Bellamy <dunk@denkimushi.com> possibly vulnerable