CVE-2023-38325
Published: July 14, 2023Last modified: February 6, 2024
Description
The cryptography package before 41.0.2 for Python mishandles SSH certificates that have critical options.
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 7.5 |
| Attack Vector | NETWORK |
| Attack complexity | LOW |
| Privileges required | NONE |
| User interaction | NONE |
| Scope | UNCHANGED |
| Confidentiality | NONE |
| Integrity impact | HIGH |
| Availability impact | NONE |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |
Notes
Introduced in 40.0.0: https://github.com/pyca/cryptography/commit/aca8de845e751dd45fe4e48f8492f357d34d1861
Status
| Product | Release | Package | Status |
|---|---|---|---|
| Alpaquita Linux | Stream | py3-cryptography | Not affected (41.0.3-r0) |
References
- https://github.com/pyca/cryptography/compare/41.0.1...41.0.2
- https://github.com/pyca/cryptography/issues/9207
- https://github.com/pyca/cryptography/pull/9208
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NMCCTYY3CSNQBFFYYC5DAV6KATHWCUZK/
- https://lists.fedoraproject.org/archives/list/[email protected]/message/NMCCTYY3CSNQBFFYYC5DAV6KATHWCUZK/
- https://pypi.org/project/cryptography/#history
- https://security.netapp.com/advisory/ntap-20230824-0010/