7.5

CVE-2024-26130

EPSS 0.34%
Published 21.02.2024 17:15:09
Last modified 05.02.2025 22:09:20
Source security-advisories@github.com
Teams watchlist Login
Open Login

cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Starting in version 38.0.0 and prior to version 42.0.4, if `pkcs12.serialize_key_and_certificates` is called with both a certificate whose public key did not match the provided private key and an `encryption_algorithm` with `hmac_hash` set (via `PrivateFormat.PKCS12.encryption_builder().hmac_hash(...)`, then a NULL pointer dereference would occur, crashing the Python process. This has been resolved in version 42.0.4, the first version in which a `ValueError` is properly raised.

Affected products Warnungen 0 Metrics 3 CWE 1 References 6

Data is provided by the National Vulnerability Database (NVD)

Cryptography.Io ≫ Cryptography SwPlatformpython Version >= 38.0.0 < 42.0.4

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.34%	0.562

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
security-advisories@github.com	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-476 NULL Pointer Dereference

The product dereferences a pointer that it expects to be valid but is NULL.

https://github.com/pyca/cryptography/commit/97d231672763cdb5959a3b191e692a362f1b9e55

Patch

https://github.com/pyca/cryptography/pull/10423

Patch

Issue Tracking

https://github.com/pyca/cryptography/security/advisories/GHSA-6vqw-3v5j-54x4

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2024-26130

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-26130

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-26130

EUVD