search

dreamboy9 / mongo

The MongoDB Database
https://www.mongodb.com/
Other
0 stars 0 forks source link

CVE-2023-50782 (High) detected in cryptography-2.3-cp34-abi3-manylinux1_x86_64.whl, cryptography-3.4.7-cp36-abi3-manylinux2014_x86_64.whl #156

Open mend-bolt-for-github[bot] opened 8 months ago

mend-bolt-for-github[bot] commented 8 months ago

CVE-2023-50782 - High Severity Vulnerability

Vulnerable Libraries - cryptography-2.3-cp34-abi3-manylinux1_x86_64.whl, cryptography-3.4.7-cp36-abi3-manylinux2014_x86_64.whl

cryptography-2.3-cp34-abi3-manylinux1_x86_64.whl

cryptography is a package which provides cryptographic recipes and primitives to Python developers.

Library home page: https://files.pythonhosted.org/packages/c2/fa/fa9a8933c285895935d1392922fe721e9cb1b2c1881d14f149213a227ee3/cryptography-2.3-cp34-abi3-manylinux1_x86_64.whl

Path to dependency file: /etc/pip/dev-requirements.txt

Path to vulnerable library: /etc/pip/dev-requirements.txt,/etc/pip/dev-requirements.txt,/etc/pip/jira-requirements.txt,/etc/pip/toolchain-requirements.txt,/src/third_party/wiredtiger/bench/workgen

Dependency Hierarchy: - :x: **cryptography-2.3-cp34-abi3-manylinux1_x86_64.whl** (Vulnerable Library)

cryptography-3.4.7-cp36-abi3-manylinux2014_x86_64.whl

cryptography is a package which provides cryptographic recipes and primitives to Python developers.

Library home page: https://files.pythonhosted.org/packages/b2/26/7af637e6a7e87258b963f1731c5982fb31cd507f0d90d91836e446955d02/cryptography-3.4.7-cp36-abi3-manylinux2014_x86_64.whl

Path to dependency file: /src/third_party/wiredtiger/bench/workgen

Path to vulnerable library: /src/third_party/wiredtiger/bench/workgen

Dependency Hierarchy: - :x: **cryptography-3.4.7-cp36-abi3-manylinux2014_x86_64.whl** (Vulnerable Library)

Found in HEAD commit: 60ef70ebd8d46f4c893b3fb90ccf2616f8e21d2b

Found in base branch: master

Vulnerability Details

A flaw was found in the python-cryptography package. This issue may allow a remote attacker to decrypt captured messages in TLS servers that use RSA key exchanges, which may lead to exposure of confidential or sensitive data.

Publish Date: 2024-02-05

URL: CVE-2023-50782

CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://github.com/advisories/GHSA-3ww4-gg4f-jr7f

Release Date: 2024-02-05

Fix Resolution: 42.0.0

Step up your Open Source Security Game with Mend here