Vulnerability Details CVE-2023-49083
cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Calling `load_pem_pkcs7_certificates` or `load_der_pkcs7_certificates` could lead to a NULL-pointer dereference and segfault. Exploitation of this vulnerability poses a serious risk of Denial of Service (DoS) for any application attempting to deserialize a PKCS7 blob/certificate. The consequences extend to potential disruptions in system availability and stability. This vulnerability has been patched in version 41.0.6.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.004
EPSS Ranking 62.4%
CVSS Severity
CVSS v3 Score 5.9
References
- https://github.com/pyca/cryptography/commit/f09c261ca10a31fe41b1262306db7f8f1da0e48a
- https://github.com/pyca/cryptography/pull/9926
- https://github.com/pyca/cryptography/security/advisories/GHSA-jfhm-5ghh-2f97
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QMNTYMUGFJSDBYBU22FUYBHFRZODRKXV/
- https://github.com/pyca/cryptography/commit/f09c261ca10a31fe41b1262306db7f8f1da0e48a
- https://github.com/pyca/cryptography/pull/9926
- https://github.com/pyca/cryptography/security/advisories/GHSA-jfhm-5ghh-2f97
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QMNTYMUGFJSDBYBU22FUYBHFRZODRKXV/
Products affected by CVE-2023-49083
-
cpe:2.3:a:cryptography.io:cryptography:3.1
-
cpe:2.3:a:cryptography.io:cryptography:3.1.1
-
cpe:2.3:a:cryptography.io:cryptography:3.2
-
cpe:2.3:a:cryptography.io:cryptography:3.2.1
-
cpe:2.3:a:cryptography.io:cryptography:3.3
-
cpe:2.3:a:cryptography.io:cryptography:3.3.1
-
cpe:2.3:a:cryptography.io:cryptography:3.3.2
-
cpe:2.3:a:cryptography.io:cryptography:3.4
-
cpe:2.3:a:cryptography.io:cryptography:3.4.1
-
cpe:2.3:a:cryptography.io:cryptography:3.4.2
-
cpe:2.3:a:cryptography.io:cryptography:3.4.3
-
cpe:2.3:a:cryptography.io:cryptography:3.4.4
-
cpe:2.3:a:cryptography.io:cryptography:3.4.5
-
cpe:2.3:a:cryptography.io:cryptography:3.4.6
-
cpe:2.3:a:cryptography.io:cryptography:3.4.7
-
cpe:2.3:a:cryptography.io:cryptography:3.4.8
-
cpe:2.3:a:cryptography.io:cryptography:35.0.0
-
cpe:2.3:a:cryptography.io:cryptography:36.0.0
-
cpe:2.3:a:cryptography.io:cryptography:36.0.1
-
cpe:2.3:a:cryptography.io:cryptography:36.0.2
-
cpe:2.3:a:cryptography.io:cryptography:37.0.0
-
cpe:2.3:a:cryptography.io:cryptography:37.0.1
-
cpe:2.3:a:cryptography.io:cryptography:37.0.2
-
cpe:2.3:a:cryptography.io:cryptography:37.0.3
-
cpe:2.3:a:cryptography.io:cryptography:37.0.4
-
cpe:2.3:a:cryptography.io:cryptography:38.0.0
-
cpe:2.3:a:cryptography.io:cryptography:38.0.1
-
cpe:2.3:a:cryptography.io:cryptography:38.0.2
-
cpe:2.3:a:cryptography.io:cryptography:38.0.3
-
cpe:2.3:a:cryptography.io:cryptography:38.0.4
-
cpe:2.3:a:cryptography.io:cryptography:39.0.0
-
cpe:2.3:a:cryptography.io:cryptography:39.0.1
-
cpe:2.3:a:cryptography.io:cryptography:39.0.2
-
cpe:2.3:a:cryptography.io:cryptography:40.0.0
-
cpe:2.3:a:cryptography.io:cryptography:40.0.1
-
cpe:2.3:a:cryptography.io:cryptography:40.0.2
-
cpe:2.3:a:cryptography.io:cryptography:41.0.0
-
cpe:2.3:a:cryptography.io:cryptography:41.0.1
-
cpe:2.3:a:cryptography.io:cryptography:41.0.2
-
cpe:2.3:a:cryptography.io:cryptography:41.0.3
-
cpe:2.3:a:cryptography.io:cryptography:41.0.4
-
cpe:2.3:a:cryptography.io:cryptography:41.0.5