Skip to content

x/vulndb: potential Go vuln in github.com/pyca/cryptography: CVE-2023-49083 #2367

New issue
New issue
Closed
Closed
x/vulndb: potential Go vuln in github.com/pyca/cryptography: CVE-2023-49083#2367
Assignees
maceonthompson
Labels
excluded: NOT_GO_CODEThis vulnerability does not refer to a Go module.
@GoVulnBot

Description

@GoVulnBot
GoVulnBot
opened on Nov 29, 2023

CVE-2023-49083 references github.com/pyca/cryptography, which may be a Go module.

Description:
cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Calling load_pem_pkcs7_certificates or load_der_pkcs7_certificates could lead to a NULL-pointer dereference and segfault. Exploitation of this vulnerability poses a serious risk of Denial of Service (DoS) for any application attempting to deserialize a PKCS7 blob/certificate. The consequences extend to potential disruptions in system availability and stability. This vulnerability has been patched in version 41.0.6.

References:

Cross references:

See doc/triage.md for instructions on how to triage this report.

modules:
    - module: github.com/pyca/cryptography
      vulnerable_at: 0.0.0-20231129023145-11e92173875d
      packages:
        - package: cryptography
cves:
    - CVE-2023-49083
references:
    - advisory: https://github.com/pyca/cryptography/security/advisories/GHSA-jfhm-5ghh-2f97
    - fix: https://github.com/pyca/cryptography/pull/9926
    - fix: https://github.com/pyca/cryptography/commit/f09c261ca10a31fe41b1262306db7f8f1da0e48a

Metadata

Metadata

Assignees

Labels

excluded: NOT_GO_CODEThis vulnerability does not refer to a Go module.

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions