Lucene search

GoogleOSV:GHSA-CF7P-GM2M-833M

HistoryJul 14, 2023 - 9:31 p.m.

cryptography mishandles SSH certificates

2023-07-1421:31:08

Google

osv.dev

cryptography

ssh

certificates

critical options

python

software

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

JSON

The cryptography package before 41.0.2 for Python mishandles SSH certificates that have critical options.

CPENameOperatorVersion
cryptographyeq41.0.0
cryptographyeq40.0.2
cryptographyeq40.0.1
cryptographyeq41.0.1
cryptographyeq40.0.0

Name	Operator	Version
cryptography	eq	41.0.0
cryptography	eq	40.0.2
cryptography	eq	40.0.1
cryptography	eq	41.0.1
cryptography	eq	40.0.0

References

github.com/pyca/cryptography

github.com/pyca/cryptography/commit/1ca7adc97b76a9dfbd3d850628b613eb93b78fc3

github.com/pyca/cryptography/compare/41.0.1...41.0.2

github.com/pyca/cryptography/issues/9207

github.com/pyca/cryptography/pull/7960

github.com/pyca/cryptography/pull/9208

github.com/pypa/advisory-database/tree/main/vulns/cryptography/PYSEC-2023-112.yaml

lists.fedoraproject.org/archives/list/[email protected]/message/NMCCTYY3CSNQBFFYYC5DAV6KATHWCUZK

nvd.nist.gov/vuln/detail/CVE-2023-38325

pypi.org/project/cryptography/#history

security.netapp.com/advisory/ntap-20230824-0010

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

JSON

Related for OSV:GHSA-CF7P-GM2M-833M