CVE-2023-49083

cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Calling load_pem_pkcs7_certificates or load_der_pkcs7_certificates could lead to a NULL-pointer dereference and segfault. Exploitation of this vulnerability poses a serious risk of Denial of Service (DoS) for any application attempting to deserialize a PKCS7 blob/certificate. The consequences extend to potential disruptions in system availability and stability. This vulnerability has been patched in version 41.0.6.

Published: Nov 29, 2023
Updated: May 10, 2024
CVE: CVE-2023-49083
GHSA: GHSA-jfhm-5ghh-2f97
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 7.5
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWEs:

CWE-476

Affected Software
References

Software	From	Fixed in
cryptography	3.1	41.0.6
cryptography.io / cryptography	3.1	41.0.6

http://www.openwall.com/lists/oss-security/2023/11/29/2
https://github.com/pyca/cryptography/commit/f09c261ca10a31fe41b1262306db7f8f1da0e48a
https://github.com/pyca/cryptography/pull/9926
https://github.com/pyca/cryptography/security/advisories/GHSA-jfhm-5ghh-2f97
https://github.com/pypa/advisory-database/tree/main/vulns/cryptography/PYSEC-2023-254.yaml
https://lists.fedoraproject.org/archives/list/[email protected]/message/QMNTYMUGFJSDBYBU22FUYBHFRZODRKXV
https://lists.fedoraproject.org/archives/list/[email protected]/message/QMNTYMUGFJSDBYBU22FUYBHFRZODRKXV/

Vulnerability Database

289,599

CVE-2023-49083