CVE-2024-26130

Published: Feb 21, 2024

Modified: Aug 14, 2024

PUBLISHED

CVSS v3.1

7.5

HIGH

Description

cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Starting in version 38.0.0 and prior to version 42.0.4, if `pkcs12.serialize_key_and_certificates` is called with both a certificate whose public key did not match the provided private key and an `encryption_algorithm` with `hmac_hash` set (via `PrivateFormat.PKCS12.encryption_builder().hmac_hash(...)`, then a NULL pointer dereference would occur, crashing the Python process. This has been resolved in version 42.0.4, the first version in which a `ValueError` is properly raised.

Vendor	Product	Versions
pyca	cryptography	affected `>= 38.0.0, < 42.0.4`

Weaknesses (CWE)

CWE-476

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

References

https://github.com/pyca/cryptography/security/advisories/GHSA-6vqw-3v5j-54x4

x_refsource_CONFIRM

https://github.com/pyca/cryptography/pull/10423

x_refsource_MISC

https://github.com/pyca/cryptography/commit/97d231672763cdb5959a3b191e692a362f1b9e55

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2024-26130

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References