CVE-2024-5642

Buffer overread when using an empty list with SSLContext.set_npn_protocols()

Severity Score

6.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

CPython 3.9 and earlier doesn't disallow configuring an empty list ("[]") for SSLContext.set_npn_protocols() which is an invalid value for the underlying OpenSSL API. This results in a buffer over-read when NPN is used (see CVE-2024-5535 for OpenSSL). This vulnerability is of low severity due to NPN being not widely used and specifying an empty list likely being uncommon in-practice (typically a protocol name would be configured).

CPython 3.9 y versiones anteriores no permiten la configuración de una lista vacía ("[]") para SSLContext.set_npn_protocols(), que es un valor no válido para la API OpenSSL subyacente. Esto da como resultado una lectura excesiva del búfer cuando se utiliza NPN (consulte CVE-2024-5535 para OpenSSL). Esta vulnerabilidad es de baja gravedad debido a que NPN no se usa ampliamente y especificar una lista vacía probablemente sea poco común en la práctica (normalmente se configuraría un nombre de protocolo).

This update for python39 fixes the following issues. Fixed email header injection due to unquoted newlines Removed support for anything but OpenSSL 1.1.1 or newer. Fixed executable bits for /usr/bin/idle*. Improve python reproducible builds.

*Credits: N/A

CVSS Scores

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

Low

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

Low

Attack Vector

Network

Attack Complexity

High

Authentication

None

Confidentiality

Partial

Integrity

None

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-06-04 CVE Reserved
2024-06-27 CVE Published
2025-10-09 CVE Updated
2025-10-30 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CAPEC

References (8)

URL	Tag	Source
http://www.openwall.com/lists/oss-security/2024/06/28/4
https://github.com/python/cpython/issues/121227	Issue Tracking
https://github.com/python/cpython/pull/23014	Mitigation
https://jbp.io/2024/06/27/cve-2024-5535-openssl-memory-safety.html	Third Party Advisory
https://security.netapp.com/advisory/ntap-20240726-0005

URL	Date	SRC

URL	Date	SRC
https://github.com/python/cpython/commit/39258d3595300bc7b952854c915f63ae2d4b9c3e	2024-07-01
https://github.com/python/cpython/commit/a2cdbb6e8188ba9ba8b356b28d91bff60e86fe31	2025-10-09

URL	Date	SRC
https://mail.python.org/archives/list/security-announce@python.org/thread/PLP2JI3PJY33YG6P5BZYSSNU66HASXBQ	2024-07-01

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Python Software Foundation Search vendor "Python Software Foundation"		CPython Search vendor "Python Software Foundation" for product "CPython"				< 3.9.24 Search vendor "Python Software Foundation" for product "CPython" and version " < 3.9.24"		en		Affected