Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/1055153?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/1055153?format=api", "purl": "pkg:deb/debian/python-cryptography@38.0.4-3%2Bdeb12u1", "type": "deb", "namespace": "debian", "name": "python-cryptography", "version": "38.0.4-3+deb12u1", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "46.0.7-1", "latest_non_vulnerable_version": "46.0.7-1", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/20964?format=api", "vulnerability_id": "VCID-f44c-ygbw-bufn", "summary": "cryptography Vulnerable to a Subgroup Attack Due to Missing Subgroup Validation for SECT Curves\n## Vulnerability Summary\n\nThe `public_key_from_numbers` (or `EllipticCurvePublicNumbers.public_key()`), `EllipticCurvePublicNumbers.public_key()`, `load_der_public_key()` and `load_pem_public_key()` functions do not verify that the point belongs to the expected prime-order subgroup of the curve.\n\nThis missing validation allows an attacker to provide a public key point `P` from a small-order subgroup. This can lead to security issues in various situations, such as the most commonly used signature verification (ECDSA) and shared key negotiation (ECDH). When the victim computes the shared secret as `S = [victim_private_key]P` via ECDH, this leaks information about `victim_private_key mod (small_subgroup_order)`. For curves with cofactor > 1, this reveals the least significant bits of the private key. When these weak public keys are used in ECDSA , it's easy to forge signatures on the small subgroup.\n\nOnly SECT curves are impacted by this.\n\n## Credit\n\nThis vulnerability was discovered by:\n- XlabAI Team of Tencent Xuanwu Lab\n- Atuin Automated Vulnerability Discovery Engine", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-26007.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.4", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-26007.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-26007", "reference_id": "", "reference_type": "", "scores": [ { "value": "8e-05", "scoring_system": "epss", "scoring_elements": "0.00684", "published_at": "2026-04-16T12:55:00Z" }, { "value": "8e-05", "scoring_system": "epss", "scoring_elements": "0.00691", "published_at": "2026-04-13T12:55:00Z" }, { "value": "8e-05", "scoring_system": "epss", "scoring_elements": "0.00697", "published_at": "2026-04-11T12:55:00Z" }, { "value": "8e-05", "scoring_system": "epss", "scoring_elements": "0.00707", "published_at": "2026-04-08T12:55:00Z" }, { "value": "8e-05", "scoring_system": "epss", "scoring_elements": "0.00708", "published_at": "2026-04-07T12:55:00Z" }, { "value": "9e-05", "scoring_system": "epss", "scoring_elements": "0.00944", "published_at": "2026-04-04T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-26007" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-26007", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-26007" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/pyca/cryptography", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pyca/cryptography" }, { "reference_url": "https://github.com/pyca/cryptography/commit/0eebb9dbb6343d9bc1d91e5a2482ed4e054a6d8c", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-11T21:28:38Z/" } ], "url": "https://github.com/pyca/cryptography/commit/0eebb9dbb6343d9bc1d91e5a2482ed4e054a6d8c" }, { "reference_url": "https://github.com/pyca/cryptography/releases/tag/46.0.5", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pyca/cryptography/releases/tag/46.0.5" }, { "reference_url": "https://github.com/pyca/cryptography/security/advisories/GHSA-r6ph-v2qm-q3c2", "reference_id": "", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-11T21:28:38Z/" } ], "url": "https://github.com/pyca/cryptography/security/advisories/GHSA-r6ph-v2qm-q3c2" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26007", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26007" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2026/02/10/4", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.2", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "http://www.openwall.com/lists/oss-security/2026/02/10/4" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1127926", "reference_id": "1127926", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1127926" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2438762", "reference_id": "2438762", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2438762" }, { "reference_url": "https://github.com/advisories/GHSA-r6ph-v2qm-q3c2", "reference_id": "GHSA-r6ph-v2qm-q3c2", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-r6ph-v2qm-q3c2" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:2694", "reference_id": "RHSA-2026:2694", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:2694" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:5168", "reference_id": "RHSA-2026:5168", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:5168" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:5665", "reference_id": "RHSA-2026:5665", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:5665" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:6308", "reference_id": "RHSA-2026:6308", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:6308" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:6309", "reference_id": "RHSA-2026:6309", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:6309" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:6404", "reference_id": "RHSA-2026:6404", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:6404" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:6497", "reference_id": "RHSA-2026:6497", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:6497" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:6567", "reference_id": "RHSA-2026:6567", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:6567" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2026:6568", "reference_id": "RHSA-2026:6568", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2026:6568" }, { "reference_url": "https://usn.ubuntu.com/8087-1/", "reference_id": "USN-8087-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/8087-1/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/1055154?format=api", "purl": "pkg:deb/debian/python-cryptography@43.0.0-3%2Bdeb13u1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-rgsr-9wpx-qqg6" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/python-cryptography@43.0.0-3%252Bdeb13u1" } ], "aliases": [ "CVE-2026-26007", "GHSA-r6ph-v2qm-q3c2" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-f44c-ygbw-bufn" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/24146?format=api", "vulnerability_id": "VCID-rgsr-9wpx-qqg6", "summary": "cryptography has incomplete DNS name constraint enforcement on peer names\n## Summary\n\nIn versions of cryptography prior to 46.0.5, DNS name constraints were only validated against SANs within child certificates, and not the \"peer name\" presented during each validation. Consequently, cryptography would allow a peer named `bar.example.com` to validate against a wildcard leaf certificate for `*.example.com`, even if the leaf's parent certificate (or upwards) contained an excluded subtree constraint for `bar.example.com`.\n\nThis behavior resulted from a gap between RFC 5280 (which defines Name Constraint semantics) and RFC 9525 (which defines service identity semantics): put together, neither states definitively whether Name Constraints should be applied to peer names. To close this gap, cryptography now conservatively rejects any validation where the peer name would be rejected by a name constraint if it were a SAN instead.\n\nIn practice, exploitation of this bypass requires an uncommon X.509 topology, one that the Web PKI avoids because it exhibits these kinds of problems. Consequently, we consider this a medium-to-low impact severity.\n\nSee CVE-2025-61727 for a similar bypass in Go's `crypto/x509`.\n\n## Remediation\n\nUsers should upgrade to 46.0.6 or newer. \n\n## Attribution\n\nReporter: @1seal", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-34073.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-34073.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-34073", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00022", "scoring_system": "epss", "scoring_elements": "0.0594", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00022", "scoring_system": "epss", "scoring_elements": "0.05975", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00022", "scoring_system": "epss", "scoring_elements": "0.05985", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00022", "scoring_system": "epss", "scoring_elements": "0.05972", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00022", "scoring_system": "epss", "scoring_elements": "0.05994", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00022", "scoring_system": "epss", "scoring_elements": "0.06012", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00022", "scoring_system": "epss", "scoring_elements": "0.05934", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00023", "scoring_system": "epss", "scoring_elements": "0.06218", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00023", "scoring_system": "epss", "scoring_elements": "0.06249", "published_at": "2026-04-04T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-34073" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34073", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34073" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/pyca/cryptography", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "1.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pyca/cryptography" }, { "reference_url": "https://github.com/pyca/cryptography/security/advisories/GHSA-m959-cc7f-wv43", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "1.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-31T13:50:17Z/" } ], "url": "https://github.com/pyca/cryptography/security/advisories/GHSA-m959-cc7f-wv43" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34073", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "1.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34073" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2453276", "reference_id": "2453276", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2453276" }, { "reference_url": "https://github.com/advisories/GHSA-m959-cc7f-wv43", "reference_id": "GHSA-m959-cc7f-wv43", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-m959-cc7f-wv43" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/1055155?format=api", "purl": "pkg:deb/debian/python-cryptography@46.0.6-1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-za3q-wwzc-qbgv" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/python-cryptography@46.0.6-1" } ], "aliases": [ "CVE-2026-34073", "GHSA-m959-cc7f-wv43" ], "risk_score": 2.4, "exploitability": "0.5", "weighted_severity": "4.8", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-rgsr-9wpx-qqg6" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/15388?format=api", "vulnerability_id": "VCID-x7vf-dyab-qbhq", "summary": "Python Cryptography package vulnerable to Bleichenbacher timing oracle attack\nA flaw was found in the python-cryptography package. This issue may allow a remote attacker to decrypt captured messages in TLS servers that use RSA key exchanges, which may lead to exposure of confidential or sensitive data.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-50782.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-50782.json" }, { "reference_url": "https://access.redhat.com/security/cve/CVE-2023-50782", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-02-15T16:14:33Z/" } ], "url": "https://access.redhat.com/security/cve/CVE-2023-50782" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-50782", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00855", "scoring_system": "epss", "scoring_elements": "0.74942", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00855", "scoring_system": "epss", "scoring_elements": "0.74983", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00855", "scoring_system": "epss", "scoring_elements": "0.74946", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00855", "scoring_system": "epss", "scoring_elements": "0.74956", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00855", "scoring_system": "epss", "scoring_elements": "0.74977", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00855", "scoring_system": "epss", "scoring_elements": "0.74954", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00855", "scoring_system": "epss", "scoring_elements": "0.74907", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00855", "scoring_system": "epss", "scoring_elements": "0.74935", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00855", "scoring_system": "epss", "scoring_elements": "0.74909", "published_at": "2026-04-07T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-50782" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2254432", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-02-15T16:14:33Z/" } ], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2254432" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-50782", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-50782" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/pyca/cryptography", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pyca/cryptography" }, { "reference_url": "https://github.com/pyca/cryptography/issues/9785", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pyca/cryptography/issues/9785" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50782", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50782" }, { "reference_url": "https://www.couchbase.com/alerts", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.couchbase.com/alerts" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1059308", "reference_id": "1059308", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1059308" }, { "reference_url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:/a:redhat:ansible_automation_platform:2", "reference_id": "cpe:/a:redhat:ansible_automation_platform:2", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:/a:redhat:ansible_automation_platform:2" }, { "reference_url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:/a:redhat:rhui:4::el8", "reference_id": "cpe:/a:redhat:rhui:4::el8", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:/a:redhat:rhui:4::el8" }, { "reference_url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:/a:redhat:satellite:6", "reference_id": "cpe:/a:redhat:satellite:6", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:/a:redhat:satellite:6" }, { "reference_url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:/o:redhat:enterprise_linux:7", "reference_id": "cpe:/o:redhat:enterprise_linux:7", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:/o:redhat:enterprise_linux:7" }, { "reference_url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:/o:redhat:enterprise_linux:8", "reference_id": "cpe:/o:redhat:enterprise_linux:8", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:/o:redhat:enterprise_linux:8" }, { "reference_url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:/o:redhat:enterprise_linux:9", "reference_id": "cpe:/o:redhat:enterprise_linux:9", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:/o:redhat:enterprise_linux:9" }, { "reference_url": "https://github.com/advisories/GHSA-3ww4-gg4f-jr7f", "reference_id": "GHSA-3ww4-gg4f-jr7f", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-3ww4-gg4f-jr7f" }, { "reference_url": "https://usn.ubuntu.com/6673-1/", "reference_id": "USN-6673-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/6673-1/" }, { "reference_url": "https://usn.ubuntu.com/6673-2/", "reference_id": "USN-6673-2", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/6673-2/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/1055154?format=api", "purl": "pkg:deb/debian/python-cryptography@43.0.0-3%2Bdeb13u1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-rgsr-9wpx-qqg6" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/python-cryptography@43.0.0-3%252Bdeb13u1" } ], "aliases": [ "CVE-2023-50782", "GHSA-3ww4-gg4f-jr7f" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-x7vf-dyab-qbhq" } ], "fixing_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/11525?format=api", "vulnerability_id": "VCID-48jq-1u5d-tkan", "summary": "cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Calling `load_pem_pkcs7_certificates` or `load_der_pkcs7_certificates` could lead to a NULL-pointer dereference and segfault. Exploitation of this vulnerability poses a serious risk of Denial of Service (DoS) for any application attempting to deserialize a PKCS7 blob/certificate. The consequences extend to potential disruptions in system availability and stability. This vulnerability has been patched in version 41.0.6.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-49083.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-49083.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-49083", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.01289", "scoring_system": "epss", "scoring_elements": "0.79611", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.01289", "scoring_system": "epss", "scoring_elements": "0.79682", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.01289", "scoring_system": "epss", "scoring_elements": "0.79634", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.01289", "scoring_system": "epss", "scoring_elements": "0.79653", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.01289", "scoring_system": "epss", "scoring_elements": "0.7962", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.01289", "scoring_system": "epss", "scoring_elements": "0.79661", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.01289", "scoring_system": "epss", "scoring_elements": "0.79677", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.01289", "scoring_system": "epss", "scoring_elements": "0.79648", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.01289", "scoring_system": "epss", "scoring_elements": "0.79656", "published_at": "2026-04-09T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-49083" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-49083", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-49083" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/pyca/cryptography", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pyca/cryptography" }, { "reference_url": "https://github.com/pyca/cryptography/commit/f09c261ca10a31fe41b1262306db7f8f1da0e48a", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-12-18T15:31:36Z/" } ], "url": "https://github.com/pyca/cryptography/commit/f09c261ca10a31fe41b1262306db7f8f1da0e48a" }, { "reference_url": "https://github.com/pyca/cryptography/pull/9926", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-12-18T15:31:36Z/" } ], "url": "https://github.com/pyca/cryptography/pull/9926" }, { "reference_url": "https://github.com/pyca/cryptography/security/advisories/GHSA-jfhm-5ghh-2f97", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-12-18T15:31:36Z/" } ], "url": "https://github.com/pyca/cryptography/security/advisories/GHSA-jfhm-5ghh-2f97" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/cryptography/PYSEC-2023-254.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/cryptography/PYSEC-2023-254.yaml" }, { "reference_url": "https://lists.debian.org/debian-lts-announce/2024/10/msg00012.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.debian.org/debian-lts-announce/2024/10/msg00012.html" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QMNTYMUGFJSDBYBU22FUYBHFRZODRKXV", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QMNTYMUGFJSDBYBU22FUYBHFRZODRKXV" }, { "reference_url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QMNTYMUGFJSDBYBU22FUYBHFRZODRKXV/", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-12-18T15:31:36Z/" } ], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QMNTYMUGFJSDBYBU22FUYBHFRZODRKXV/" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2023/11/29/2", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "http://www.openwall.com/lists/oss-security/2023/11/29/2" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1057108", "reference_id": "1057108", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1057108" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2255331", "reference_id": "2255331", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2255331" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-49083", "reference_id": "CVE-2023-49083", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-49083" }, { "reference_url": "https://github.com/advisories/GHSA-jfhm-5ghh-2f97", "reference_id": "GHSA-jfhm-5ghh-2f97", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-jfhm-5ghh-2f97" }, { "reference_url": "https://security.gentoo.org/glsa/202407-06", "reference_id": "GLSA-202407-06", "reference_type": "", "scores": [], "url": "https://security.gentoo.org/glsa/202407-06" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:10965", "reference_id": "RHSA-2024:10965", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:10965" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:1878", "reference_id": "RHSA-2024:1878", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:1878" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:2337", "reference_id": "RHSA-2024:2337", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:2337" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:3105", "reference_id": "RHSA-2024:3105", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:3105" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:3781", "reference_id": "RHSA-2024:3781", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:3781" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:13098", "reference_id": "RHSA-2025:13098", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:13098" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:13100", "reference_id": "RHSA-2025:13100", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:13100" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:13101", "reference_id": "RHSA-2025:13101", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:13101" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:13102", "reference_id": "RHSA-2025:13102", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:13102" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:13103", "reference_id": "RHSA-2025:13103", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:13103" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:13104", "reference_id": "RHSA-2025:13104", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:13104" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:14553", "reference_id": "RHSA-2025:14553", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:14553" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:15874", "reference_id": "RHSA-2025:15874", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:15874" }, { "reference_url": "https://usn.ubuntu.com/6539-1/", "reference_id": "USN-6539-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/6539-1/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/1055153?format=api", "purl": "pkg:deb/debian/python-cryptography@38.0.4-3%2Bdeb12u1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-f44c-ygbw-bufn" }, { "vulnerability": "VCID-rgsr-9wpx-qqg6" }, { "vulnerability": "VCID-x7vf-dyab-qbhq" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/python-cryptography@38.0.4-3%252Bdeb12u1" } ], "aliases": [ "CVE-2023-49083", "GHSA-jfhm-5ghh-2f97", "PYSEC-2023-254" ], "risk_score": 3.4, "exploitability": "0.5", "weighted_severity": "6.8", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-48jq-1u5d-tkan" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/9949?format=api", "vulnerability_id": "VCID-u4f5-k68d-wfd1", "summary": "cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. In affected versions `Cipher.update_into` would accept Python objects which implement the buffer protocol, but provide only immutable buffers. This would allow immutable objects (such as `bytes`) to be mutated, thus violating fundamental rules of Python and resulting in corrupted output. This now correctly raises an exception. This issue has been present since `update_into` was originally introduced in cryptography 1.8.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-23931.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-23931.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-23931", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00804", "scoring_system": "epss", "scoring_elements": "0.74169", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00804", "scoring_system": "epss", "scoring_elements": "0.74131", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00804", "scoring_system": "epss", "scoring_elements": "0.74137", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00804", "scoring_system": "epss", "scoring_elements": "0.74155", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00804", "scoring_system": "epss", "scoring_elements": "0.74134", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00804", "scoring_system": "epss", "scoring_elements": "0.74119", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00804", "scoring_system": "epss", "scoring_elements": "0.74114", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00804", "scoring_system": "epss", "scoring_elements": "0.74087", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00804", "scoring_system": "epss", "scoring_elements": "0.74086", "published_at": "2026-04-07T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-23931" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23931", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23931" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/pyca/cryptography", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pyca/cryptography" }, { "reference_url": "https://github.com/pyca/cryptography/commit/d6951dca25de45abd52da51b608055371fbcde4e", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pyca/cryptography/commit/d6951dca25de45abd52da51b608055371fbcde4e" }, { "reference_url": "https://github.com/pyca/cryptography/pull/8230", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pyca/cryptography/pull/8230" }, { "reference_url": "https://github.com/pyca/cryptography/pull/8230/commits/94a50a9731f35405f0357fa5f3b177d46a726ab3", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-10T21:01:11Z/" } ], "url": "https://github.com/pyca/cryptography/pull/8230/commits/94a50a9731f35405f0357fa5f3b177d46a726ab3" }, { "reference_url": "https://github.com/pyca/cryptography/security/advisories/GHSA-w7pp-m8wf-vj6r", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L" }, { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-10T21:01:11Z/" } ], "url": "https://github.com/pyca/cryptography/security/advisories/GHSA-w7pp-m8wf-vj6r" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/cryptography/PYSEC-2023-11.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/cryptography/PYSEC-2023-11.yaml" }, { "reference_url": "https://lists.debian.org/debian-lts-announce/2024/10/msg00012.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.debian.org/debian-lts-announce/2024/10/msg00012.html" }, { "reference_url": "https://security.netapp.com/advisory/ntap-20230324-0007", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://security.netapp.com/advisory/ntap-20230324-0007" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1031049", "reference_id": "1031049", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1031049" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2171817", "reference_id": "2171817", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2171817" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-23931", "reference_id": "CVE-2023-23931", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-23931" }, { "reference_url": "https://github.com/advisories/GHSA-w7pp-m8wf-vj6r", "reference_id": "GHSA-w7pp-m8wf-vj6r", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-w7pp-m8wf-vj6r" }, { "reference_url": "https://security.gentoo.org/glsa/202407-06", "reference_id": "GLSA-202407-06", "reference_type": "", "scores": [], "url": "https://security.gentoo.org/glsa/202407-06" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:4693", "reference_id": "RHSA-2023:4693", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:4693" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:4971", "reference_id": "RHSA-2023:4971", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:4971" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:6615", "reference_id": "RHSA-2023:6615", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:6615" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:6793", "reference_id": "RHSA-2023:6793", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:6793" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:7096", "reference_id": "RHSA-2023:7096", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:7096" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:7341", "reference_id": "RHSA-2023:7341", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:7341" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:2985", "reference_id": "RHSA-2024:2985", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:2985" }, { "reference_url": "https://usn.ubuntu.com/6539-1/", "reference_id": "USN-6539-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/6539-1/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/1055153?format=api", "purl": "pkg:deb/debian/python-cryptography@38.0.4-3%2Bdeb12u1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-f44c-ygbw-bufn" }, { "vulnerability": "VCID-rgsr-9wpx-qqg6" }, { "vulnerability": "VCID-x7vf-dyab-qbhq" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/python-cryptography@38.0.4-3%252Bdeb12u1" } ], "aliases": [ "CVE-2023-23931", "GHSA-w7pp-m8wf-vj6r", "PYSEC-2023-11" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-u4f5-k68d-wfd1" } ], "risk_score": "4.0", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:deb/debian/python-cryptography@38.0.4-3%252Bdeb12u1" }