CVE-2024-26130

2024-02-2117:15:09

Debian Security Bug Tracker

security-tracker.debian.org

cve-2024-26130

python developers

cryptographic primitives

pkcs12 serialization

hmac hash

null pointer dereference

valueerror

unix

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

0.0004 Low

EPSS

Percentile

15.5%

JSON

cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Starting in version 38.0.0 and prior to version 42.0.4, if pkcs12.serialize_key_and_certificates is called with both a certificate whose public key did not match the provided private key and an encryption_algorithm with hmac_hash set (via PrivateFormat.PKCS12.encryption_builder().hmac_hash(...), then a NULL pointer dereference would occur, crashing the Python process. This has been resolved in version 42.0.4, the first version in which a ValueError is properly raised.

OSVersionArchitecturePackageVersionFilename
Debian12allpython-cryptography<= 38.0.4-3python-cryptography_38.0.4-3_all.deb
Debian11allpython-cryptography<= 3.3.2-1python-cryptography_3.3.2-1_all.deb
Debian10allpython-cryptography<= 2.6.1-3+deb10u2python-cryptography_2.6.1-3+deb10u2_all.deb
Debian999allpython-cryptography< 42.0.5-1python-cryptography_42.0.5-1_all.deb
Debian13allpython-cryptography< 42.0.5-1python-cryptography_42.0.5-1_all.deb

OS	Version	Architecture	Package	Version	Filename
Debian	12	all	python-cryptography	<= 38.0.4-3	python-cryptography_38.0.4-3_all.deb
Debian	11	all	python-cryptography	<= 3.3.2-1	python-cryptography_3.3.2-1_all.deb
Debian	10	all	python-cryptography	<= 2.6.1-3+deb10u2	python-cryptography_2.6.1-3+deb10u2_all.deb
Debian	999	all	python-cryptography	< 42.0.5-1	python-cryptography_42.0.5-1_all.deb
Debian	13	all	python-cryptography	< 42.0.5-1	python-cryptography_42.0.5-1_all.deb