CVE-2023-38325 (High) detected in cryptography-2.8-cp34-abi3-manylinux2010_x86_64.whl

[mend-bolt-for-github[bot]]

CVE-2023-38325 - High Severity Vulnerability

Vulnerable Library - cryptography-2.8-cp34-abi3-manylinux2010_x86_64.whl

cryptography is a package which provides cryptographic recipes and primitives to Python developers.

Library home page: https://files.pythonhosted.org/packages/ca/9a/7cece52c46546e214e10811b36b2da52ce1ea7fa203203a629b8dfadad53/cryptography-2.8-cp34-abi3-manylinux2010_x86_64.whl

Path to dependency file: /tmp/ws-ua_20220122232947_MZFNWS/archiveExtraction_KXRZMM/PZSZKX/20220122232947/codechung_depth_1/awscli-bundle/awscli-bundle/packages/urllib3-1.25.10.tar/urllib3-1.25.10/docs/requirements.txt

Path to vulnerable library: /awscli-bundle/awscli-bundle/packages/urllib3-1.25.10.tar/urllib3-1.25.10/docs/requirements.txt,/awscli-bundle/awscli-bundle/packages/urllib3-1.25.10.tar/urllib3-1.25.10/dev-requirements.txt,/awscli-bundle/packages/urllib3-1.25.10.tar/urllib3-1.25.10/docs/requirements.txt,/awscli-bundle/packages/urllib3-1.25.10.tar/urllib3-1.25.10/dev-requirements.txt

Dependency Hierarchy: - :x: **cryptography-2.8-cp34-abi3-manylinux2010_x86_64.whl** (Vulnerable Library)

Found in HEAD commit: de1c2b0d1a23367b161c2d995029f9693bd8a155

Found in base branch: master

Vulnerability Details

The cryptography package before 41.0.2 for Python mishandles SSH certificates that have critical options.

Publish Date: 2023-07-14

URL: CVE-2023-38325

CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: High - Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-38325

Release Date: 2023-07-14

Fix Resolution: 41.0.2

---

Step up your Open Source Security Game with Mend here