Buffer Over-read Vulnerability in CPython 3.9 and Earlier Due to Invalid SSLContext Configuration
CVE-2024-5642

6.5MEDIUM

Key Information:

Vendor
Python Software Foundation
Status
Cpython
Vendor
CVE Published:
27 June 2024

Summary

CPython 3.9 and earlier doesn't disallow configuring an empty list ("[]") for SSLContext.set_npn_protocols() which is an invalid value for the underlying OpenSSL API. This results in a buffer over-read when NPN is used (see CVE-2024-5535 for OpenSSL). This vulnerability is of low severity due to NPN being not widely used and specifying an empty list likely being uncommon in-practice (typically a protocol name would be configured).

Affected Version(s)

CPython 0 < 3.10.0b1

References

https://jbp.io/2024/06/27/cve-2024-5535-openssl-memory-sa...
third-party-advisory
https://github.com/python/cpython/pull/23014
mitigation
https://mail.python.org/archives/list/security-announce@p...
vendor-advisory

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

.