CVE-2023-49083
cryptography vulnerable to NULL-dereference when loading PKCS7 certificates
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
1Exploited in Wild
-Decision
Descriptions
cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Calling `load_pem_pkcs7_certificates` or `load_der_pkcs7_certificates` could lead to a NULL-pointer dereference and segfault. Exploitation of this vulnerability poses a serious risk of Denial of Service (DoS) for any application attempting to deserialize a PKCS7 blob/certificate. The consequences extend to potential disruptions in system availability and stability. This vulnerability has been patched in version 41.0.6.
cryptography es un paquete diseñado para exponer recetas y primitivas criptográficas a los desarrolladores de Python. Llamar a `load_pem_pkcs7_certificates` o `load_der_pkcs7_certificates` podría provocar una desreferencia de puntero NULL y un error de segmentación. La explotación de esta vulnerabilidad plantea un grave riesgo de Denegación de Servicio (DoS) para cualquier aplicación que intente deserializar un blob/certificado PKCS7. Las consecuencias se extienden a posibles interrupciones en la disponibilidad y estabilidad del sistema. Esta vulnerabilidad ha sido parcheada en la versión 41.0.6.
A null-pointer dereference vulnerability was found in python-cryptography during the loading of PKCS7 certificates. Invoking "load_pem_pkcs7_certificates" or "load_der_pkcs7_certificates" can trigger this issue and lead to subsequent segmentation fault and result in a Denial of Service (DoS) for any application aiming to deserialize a PKCS7 blob or certificate. The potential impact includes disruptions in system availability and stability.
It was discovered that the python-cryptography Cipher.update_into function would incorrectly accept objects with immutable buffers. This would result in corrupted output, contrary to expectations. This issue only affected Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, and Ubuntu 23.04. It was discovered that python-cryptography incorrectly handled loading certain PKCS7 certificates. A remote attacker could possibly use this issue to cause python-cryptography to crash, resulting in a denial of service. This issue only affected Ubuntu 22.04 LTS, Ubuntu 23.04, and Ubuntu 23.10.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2023-11-21 CVE Reserved
- 2023-11-29 CVE Published
- 2025-02-13 CVE Updated
- 2025-02-13 First Exploit
- 2025-03-30 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-476: NULL Pointer Dereference
CAPEC
References (6)
| URL | Tag | Source |
|---|---|---|
| https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QMNTYMUGFJSDBYBU22FUYBHFRZODRKXV |
|
| URL | Date | SRC |
|---|---|---|
| https://github.com/pyca/cryptography/security/advisories/GHSA-jfhm-5ghh-2f97 | 2025-02-13 |
| URL | Date | SRC |
|---|---|---|
| https://github.com/pyca/cryptography/commit/f09c261ca10a31fe41b1262306db7f8f1da0e48a | 2024-02-17 | |
| https://github.com/pyca/cryptography/pull/9926 | 2024-02-17 |
| URL | Date | SRC |
|---|---|---|
| https://access.redhat.com/security/cve/CVE-2023-49083 | 2024-06-10 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=2255331 | 2024-06-10 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Cryptography Project Search vendor "Cryptography Project" | Cryptography Search vendor "Cryptography Project" for product "Cryptography" | >= 3.1 < 41.0.6 Search vendor "Cryptography Project" for product "Cryptography" and version " >= 3.1 < 41.0.6" | python |
Affected
| ||||||