You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. In versions 1.8 through 39.0.0, "Cipher.update_into" would accept Python objects which implement the buffer protocol, but provide only immutable buffers. This would allow immutable objects (such as "bytes") to be mutated, thus violating fundamental rules of Python and resulting in corrupted output. This now correctly raises an exception. This issue has been present since "update_into" was originally introduced in cryptography 1.8.
Cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Calling load_pem_pkcs7_certificates or load_der_pkcs7_certificates could lead to a NULL-pointer dereference and segfault. Exploitation of this vulnerability poses a serious risk of Denial of Service (DoS) for any application attempting to deserialize a PKCS7 blob/certificate. The consequences extend to potential disruptions in system availability and stability. This issue affects versions 3.1 through 41.0.5.
A flaw was found in the python cryptography package versions prior to 42.0.0. This issue may allow a remote attacker to decrypt captured messages in TLS servers that use RSA key exchanges, which may lead to exposure of confidential or sensitive data. This issue is an incomplete fix of CVE-2020-25659.
cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Starting in version 38.0.0 and prior to version 42.0.4, if pkcs12.serialize_key_and_certificates is called with both a certificate whose public key did not match the provided private key and an encryption_algorithm with hmac_hash set (via PrivateFormat.PKCS12.encryption_builder().hmac_hash(...), then a NULL pointer dereference would occur, crashing the Python process. This has been resolved in version 42.0.4, the first version in which a ValueError is properly raised.
안녕하세요.
현재 PyPinkSign 프로젝트의 cryptography 패키지 버전 의존성은 38.0.3 입니다.
그런데 해당 cryptography 버전에는 아래와 같이 CVE 취약점이 공개되었습니다.
따라서 42.0.4 이상의 버전으로 의존성 업그레이드가 필요할 것 같습니다.
감사합니다.
Dependency pypi:cryptography:38.0.3 is vulnerable
Upgrade to 42.0.4
CVE-2023-23931, Score: 6.5
cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. In versions 1.8 through 39.0.0, "Cipher.update_into" would accept Python objects which implement the buffer protocol, but provide only immutable buffers. This would allow immutable objects (such as "bytes") to be mutated, thus violating fundamental rules of Python and resulting in corrupted output. This now correctly raises an exception. This issue has been present since "update_into" was originally introduced in cryptography 1.8.
Read More: https://devhub.checkmarx.com/cve-details/CVE-2023-23931?utm_source=jetbrains&utm_medium=referral
CVE-2023-38325, Score: 7.5
The cryptography package versions prior to 41.0.2 for Python mishandles SSH certificates that have critical options.
Read More: https://devhub.checkmarx.com/cve-details/CVE-2023-38325?utm_source=jetbrains&utm_medium=referral
CVE-2023-49083, Score: 7.5
Cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Calling
load_pem_pkcs7_certificatesorload_der_pkcs7_certificatescould lead to a NULL-pointer dereference and segfault. Exploitation of this vulnerability poses a serious risk of Denial of Service (DoS) for any application attempting to deserialize a PKCS7 blob/certificate. The consequences extend to potential disruptions in system availability and stability. This issue affects versions 3.1 through 41.0.5.Read More: https://devhub.checkmarx.com/cve-details/CVE-2023-49083?utm_source=jetbrains&utm_medium=referral
CVE-2023-50782, Score: 7.5
A flaw was found in the python cryptography package versions prior to 42.0.0. This issue may allow a remote attacker to decrypt captured messages in TLS servers that use RSA key exchanges, which may lead to exposure of confidential or sensitive data. This issue is an incomplete fix of CVE-2020-25659.
Read More: https://devhub.checkmarx.com/cve-details/CVE-2023-50782?utm_source=jetbrains&utm_medium=referral
CVE-2024-26130, Score: 7.5
cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Starting in version 38.0.0 and prior to version 42.0.4, if
pkcs12.serialize_key_and_certificatesis called with both a certificate whose public key did not match the provided private key and anencryption_algorithmwithhmac_hashset (viaPrivateFormat.PKCS12.encryption_builder().hmac_hash(...), then a NULL pointer dereference would occur, crashing the Python process. This has been resolved in version 42.0.4, the first version in which aValueErroris properly raised.Read More: https://devhub.checkmarx.com/cve-details/CVE-2024-26130?utm_source=jetbrains&utm_medium=referral
Results powered by Checkmarx ©
The text was updated successfully, but these errors were encountered: