search

Vonage / vonage-python-code-snippets

Python code examples for using Vonage communications APIs
MIT License
32 stars 56 forks source link

cryptography-41.0.4-cp37-abi3-manylinux_2_28_x86_64.whl: 3 vulnerabilities (highest severity is: 7.5) - autoclosed #208

Closed mend-for-github-com[bot] closed 1 month ago

mend-for-github-com[bot] commented 6 months ago
Vulnerable Library - cryptography-41.0.4-cp37-abi3-manylinux_2_28_x86_64.whl

cryptography is a package which provides cryptographic recipes and primitives to Python developers.

Library home page: https://files.pythonhosted.org/packages/eb/4b/f86cc66c632cf0948ca1712aadd255f624deef1cd371ea3bfd30851e188d/cryptography-41.0.4-cp37-abi3-manylinux_2_28_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Vulnerabilities

CVE Severity CVSS Exploit Maturity EPSS Dependency Type Fixed in (cryptography version) Remediation Possible** Reachability
CVE-2024-26130 High 7.5 Not Defined 0.0% cryptography-41.0.4-cp37-abi3-manylinux_2_28_x86_64.whl Direct 42.0.4
CVE-2023-50782 High 7.5 Not Defined 0.1% cryptography-41.0.4-cp37-abi3-manylinux_2_28_x86_64.whl Direct 42.0.0
CVE-2023-49083 High 7.5 Not Defined 0.1% cryptography-41.0.4-cp37-abi3-manylinux_2_28_x86_64.whl Direct 41.0.6

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2024-26130 ### Vulnerable Library - cryptography-41.0.4-cp37-abi3-manylinux_2_28_x86_64.whl

cryptography is a package which provides cryptographic recipes and primitives to Python developers.

Library home page: https://files.pythonhosted.org/packages/eb/4b/f86cc66c632cf0948ca1712aadd255f624deef1cd371ea3bfd30851e188d/cryptography-41.0.4-cp37-abi3-manylinux_2_28_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy: - :x: **cryptography-41.0.4-cp37-abi3-manylinux_2_28_x86_64.whl** (Vulnerable Library)

Found in base branch: main

### Vulnerability Details

cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Starting in version 38.0.0 and prior to version 42.0.4, if `pkcs12.serialize_key_and_certificates` is called with both a certificate whose public key did not match the provided private key and an `encryption_algorithm` with `hmac_hash` set (via `PrivateFormat.PKCS12.encryption_builder().hmac_hash(...)`, then a NULL pointer dereference would occur, crashing the Python process. This has been resolved in version 42.0.4, the first version in which a `ValueError` is properly raised.

Publish Date: 2024-02-21

URL: CVE-2024-26130

### Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.0%

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/pyca/cryptography/security/advisories/GHSA-6vqw-3v5j-54x4

Release Date: 2024-02-21

Fix Resolution: 42.0.4

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2023-50782 ### Vulnerable Library - cryptography-41.0.4-cp37-abi3-manylinux_2_28_x86_64.whl

cryptography is a package which provides cryptographic recipes and primitives to Python developers.

Library home page: https://files.pythonhosted.org/packages/eb/4b/f86cc66c632cf0948ca1712aadd255f624deef1cd371ea3bfd30851e188d/cryptography-41.0.4-cp37-abi3-manylinux_2_28_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy: - :x: **cryptography-41.0.4-cp37-abi3-manylinux_2_28_x86_64.whl** (Vulnerable Library)

Found in base branch: main

### Vulnerability Details

A flaw was found in the python-cryptography package. This issue may allow a remote attacker to decrypt captured messages in TLS servers that use RSA key exchanges, which may lead to exposure of confidential or sensitive data.

Publish Date: 2024-02-05

URL: CVE-2023-50782

### Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.1%

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/advisories/GHSA-3ww4-gg4f-jr7f

Release Date: 2024-02-05

Fix Resolution: 42.0.0

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2023-49083 ### Vulnerable Library - cryptography-41.0.4-cp37-abi3-manylinux_2_28_x86_64.whl

cryptography is a package which provides cryptographic recipes and primitives to Python developers.

Library home page: https://files.pythonhosted.org/packages/eb/4b/f86cc66c632cf0948ca1712aadd255f624deef1cd371ea3bfd30851e188d/cryptography-41.0.4-cp37-abi3-manylinux_2_28_x86_64.whl

Path to dependency file: /requirements.txt

Path to vulnerable library: /requirements.txt

Dependency Hierarchy: - :x: **cryptography-41.0.4-cp37-abi3-manylinux_2_28_x86_64.whl** (Vulnerable Library)

Found in base branch: main

### Vulnerability Details

cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Calling `load_pem_pkcs7_certificates` or `load_der_pkcs7_certificates` could lead to a NULL-pointer dereference and segfault. Exploitation of this vulnerability poses a serious risk of Denial of Service (DoS) for any application attempting to deserialize a PKCS7 blob/certificate. The consequences extend to potential disruptions in system availability and stability. This vulnerability has been patched in version 41.0.6.

Publish Date: 2023-11-29

URL: CVE-2023-49083

### Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.1%

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-49083

Release Date: 2023-11-29

Fix Resolution: 41.0.6

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.

:rescue_worker_helmet:Automatic Remediation will be attempted for this issue.

mend-for-github-com[bot] commented 1 month ago

:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.

mend-for-github-com[bot] commented 1 month ago

:information_source: This issue was automatically re-opened by Mend because the vulnerable library in the specific branch(es) has been detected in the Mend inventory.

mend-for-github-com[bot] commented 1 month ago

:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.