cryptography vulnerable to NULL-dereference when loading PKCS7 certificates
CVE-2023-49083

5.9MEDIUM

Key Information:

Vendor

Pyca

Status
Cryptography
Vendor
CVE Published:
29 November 2023

What is CVE-2023-49083?

The Cryptography package in Python is vulnerable to a NULL-pointer dereference issue that can occur when calling either load_pem_pkcs7_certificates or load_der_pkcs7_certificates. This may result in a segmentation fault, potentially leading to a Denial of Service (DoS) situation for applications that attempt to deserialize a malformed PKCS7 blob or certificate. The exploitation of this flaw threatens system availability and performance, making it crucial for users to update their installations to version 41.0.6 or later to mitigate these risks.

Affected Version(s)

cryptography >= 3.1, < 41.0.6

References

https://github.com/pyca/cryptography/security/advisories/...
x_refsource_CONFIRM
https://github.com/pyca/cryptography/pull/9926
x_refsource_MISC
https://github.com/pyca/cryptography/commit/f09c261ca10a3...
x_refsource_MISC

CVSS V3.1

Score:
5.9
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.