QwikSec

Security Database

CVE

CWE

Training

CVE-2024-5642

Published: Jun 27, 2024

Modified: Apr 21, 2026

PUBLISHED

Description

CPython 3.9 and earlier doesn't disallow configuring an empty list ("[]") for SSLContext.set_npn_protocols() which is an invalid value for the underlying OpenSSL API. This results in a buffer over-read when NPN is used (see CVE-2024-5535 for OpenSSL). This vulnerability is of low severity due to NPN being not widely used and specifying an empty list likely being uncommon in-practice (typically a protocol name would be configured).

Vendor	Product	Versions
Python Software Foundation	CPython	affected `0 - < 3.10.0b1`

References

https://jbp.io/2024/06/27/cve-2024-5535-openssl-memory-safety.html

third-party-advisory

https://github.com/python/cpython/pull/23014

mitigation

https://mail.python.org/archives/list/[email protected]/thread/PLP2JI3PJY33YG6P5BZYSSNU66HASXBQ/

vendor-advisory

https://github.com/python/cpython/commit/39258d3595300bc7b952854c915f63ae2d4b9c3e

patch

http://www.openwall.com/lists/oss-security/2024/06/28/4

https://github.com/python/cpython/issues/121227

issue-tracking

https://security.netapp.com/advisory/ntap-20240726-0005/

https://github.com/python/cpython/commit/a2cdbb6e8188ba9ba8b356b28d91bff60e86fe31

patch

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.