Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:pypi/cryptography@41.0.0
Typepypi
Namespace
Namecryptography
Version41.0.0
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version46.0.7
Latest_non_vulnerable_version46.0.7
Affected_by_vulnerabilities
0
url VCID-67ns-x8ut-cbdc
vulnerability_id VCID-67ns-x8ut-cbdc
summary The cryptography package before 41.0.2 for Python mishandles SSH certificates that have critical options.
references
0
reference_url https://github.com/pyca/cryptography
reference_id
reference_type
scores
url https://github.com/pyca/cryptography
1
reference_url https://github.com/pyca/cryptography/commit/1ca7adc97b76a9dfbd3d850628b613eb93b78fc3
reference_id
reference_type
scores
url https://github.com/pyca/cryptography/commit/1ca7adc97b76a9dfbd3d850628b613eb93b78fc3
2
reference_url https://github.com/pyca/cryptography/compare/41.0.1...41.0.2
reference_id
reference_type
scores
url https://github.com/pyca/cryptography/compare/41.0.1...41.0.2
3
reference_url https://github.com/pyca/cryptography/issues/9207
reference_id
reference_type
scores
url https://github.com/pyca/cryptography/issues/9207
4
reference_url https://github.com/pyca/cryptography/pull/7960
reference_id
reference_type
scores
url https://github.com/pyca/cryptography/pull/7960
5
reference_url https://github.com/pyca/cryptography/pull/9208
reference_id
reference_type
scores
url https://github.com/pyca/cryptography/pull/9208
6
reference_url https://github.com/pypa/advisory-database/tree/main/vulns/cryptography/PYSEC-2023-112.yaml
reference_id
reference_type
scores
url https://github.com/pypa/advisory-database/tree/main/vulns/cryptography/PYSEC-2023-112.yaml
7
reference_url https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NMCCTYY3CSNQBFFYYC5DAV6KATHWCUZK
reference_id
reference_type
scores
url https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NMCCTYY3CSNQBFFYYC5DAV6KATHWCUZK
8
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NMCCTYY3CSNQBFFYYC5DAV6KATHWCUZK
reference_id
reference_type
scores
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NMCCTYY3CSNQBFFYYC5DAV6KATHWCUZK
9
reference_url https://pypi.org/project/cryptography/#history
reference_id
reference_type
scores
url https://pypi.org/project/cryptography/#history
10
reference_url https://security.netapp.com/advisory/ntap-20230824-0010
reference_id
reference_type
scores
url https://security.netapp.com/advisory/ntap-20230824-0010
11
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-38325
reference_id CVE-2023-38325
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2023-38325
12
reference_url https://github.com/advisories/GHSA-cf7p-gm2m-833m
reference_id GHSA-cf7p-gm2m-833m
reference_type
scores
url https://github.com/advisories/GHSA-cf7p-gm2m-833m
fixed_packages
0
url pkg:pypi/cryptography@41.0.2
purl pkg:pypi/cryptography@41.0.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-dzvc-j4et-ukgu
1
vulnerability VCID-jksg-v3x3-z3d3
2
vulnerability VCID-n7hx-bfnn-5kgc
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/cryptography@41.0.2
aliases CVE-2023-38325, GHSA-cf7p-gm2m-833m, PYSEC-2023-112
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-67ns-x8ut-cbdc
1
url VCID-dzvc-j4et-ukgu
vulnerability_id VCID-dzvc-j4et-ukgu
summary cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Starting in version 38.0.0 and prior to version 42.0.4, if `pkcs12.serialize_key_and_certificates` is called with both a certificate whose public key did not match the provided private key and an `encryption_algorithm` with `hmac_hash` set (via `PrivateFormat.PKCS12.encryption_builder().hmac_hash(...)`, then a NULL pointer dereference would occur, crashing the Python process. This has been resolved in version 42.0.4, the first version in which a `ValueError` is properly raised.
references
0
reference_url https://github.com/pyca/cryptography
reference_id
reference_type
scores
url https://github.com/pyca/cryptography
1
reference_url https://github.com/pyca/cryptography/commit/97d231672763cdb5959a3b191e692a362f1b9e55
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://github.com/pyca/cryptography/commit/97d231672763cdb5959a3b191e692a362f1b9e55
2
reference_url https://github.com/pyca/cryptography/pull/10423
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://github.com/pyca/cryptography/pull/10423
3
reference_url https://github.com/pyca/cryptography/security/advisories/GHSA-6vqw-3v5j-54x4
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://github.com/pyca/cryptography/security/advisories/GHSA-6vqw-3v5j-54x4
4
reference_url https://github.com/pypa/advisory-database/tree/main/vulns/cryptography/PYSEC-2024-225.yaml
reference_id
reference_type
scores
url https://github.com/pypa/advisory-database/tree/main/vulns/cryptography/PYSEC-2024-225.yaml
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-26130
reference_id CVE-2024-26130
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2024-26130
6
reference_url https://github.com/advisories/GHSA-6vqw-3v5j-54x4
reference_id GHSA-6vqw-3v5j-54x4
reference_type
scores
url https://github.com/advisories/GHSA-6vqw-3v5j-54x4
fixed_packages
0
url pkg:pypi/cryptography@42.0.4
purl pkg:pypi/cryptography@42.0.4
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-jksg-v3x3-z3d3
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/cryptography@42.0.4
aliases CVE-2024-26130, GHSA-6vqw-3v5j-54x4, PYSEC-2024-225
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-dzvc-j4et-ukgu
2
url VCID-jksg-v3x3-z3d3
vulnerability_id VCID-jksg-v3x3-z3d3
summary cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Prior to version 46.0.6, DNS name constraints were only validated against SANs within child certificates, and not the "peer name" presented during each validation. Consequently, cryptography would allow a peer named bar.example.com to validate against a wildcard leaf certificate for *.example.com, even if the leaf's parent certificate (or upwards) contained an excluded subtree constraint for bar.example.com. This issue has been patched in version 46.0.6.
references
0
reference_url https://github.com/pyca/cryptography/security/advisories/GHSA-m959-cc7f-wv43
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
url https://github.com/pyca/cryptography/security/advisories/GHSA-m959-cc7f-wv43
fixed_packages
0
url pkg:pypi/cryptography@46.0.6
purl pkg:pypi/cryptography@46.0.6
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-z9ad-ts2t-1bdj
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/cryptography@46.0.6
aliases CVE-2026-34073, GHSA-m959-cc7f-wv43, PYSEC-2026-35
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-jksg-v3x3-z3d3
3
url VCID-n7hx-bfnn-5kgc
vulnerability_id VCID-n7hx-bfnn-5kgc
summary cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Calling `load_pem_pkcs7_certificates` or `load_der_pkcs7_certificates` could lead to a NULL-pointer dereference and segfault. Exploitation of this vulnerability poses a serious risk of Denial of Service (DoS) for any application attempting to deserialize a PKCS7 blob/certificate. The consequences extend to potential disruptions in system availability and stability. This vulnerability has been patched in version 41.0.6.
references
0
reference_url https://github.com/pyca/cryptography
reference_id
reference_type
scores
url https://github.com/pyca/cryptography
1
reference_url https://github.com/pyca/cryptography/commit/f09c261ca10a31fe41b1262306db7f8f1da0e48a
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://github.com/pyca/cryptography/commit/f09c261ca10a31fe41b1262306db7f8f1da0e48a
2
reference_url https://github.com/pyca/cryptography/pull/9926
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://github.com/pyca/cryptography/pull/9926
3
reference_url https://github.com/pyca/cryptography/security/advisories/GHSA-jfhm-5ghh-2f97
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://github.com/pyca/cryptography/security/advisories/GHSA-jfhm-5ghh-2f97
4
reference_url https://github.com/pypa/advisory-database/tree/main/vulns/cryptography/PYSEC-2023-254.yaml
reference_id
reference_type
scores
url https://github.com/pypa/advisory-database/tree/main/vulns/cryptography/PYSEC-2023-254.yaml
5
reference_url https://lists.debian.org/debian-lts-announce/2024/10/msg00012.html
reference_id
reference_type
scores
url https://lists.debian.org/debian-lts-announce/2024/10/msg00012.html
6
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QMNTYMUGFJSDBYBU22FUYBHFRZODRKXV
reference_id
reference_type
scores
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QMNTYMUGFJSDBYBU22FUYBHFRZODRKXV
7
reference_url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QMNTYMUGFJSDBYBU22FUYBHFRZODRKXV/
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QMNTYMUGFJSDBYBU22FUYBHFRZODRKXV/
8
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-49083
reference_id CVE-2023-49083
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2023-49083
9
reference_url https://github.com/advisories/GHSA-jfhm-5ghh-2f97
reference_id GHSA-jfhm-5ghh-2f97
reference_type
scores
url https://github.com/advisories/GHSA-jfhm-5ghh-2f97
fixed_packages
0
url pkg:pypi/cryptography@41.0.6
purl pkg:pypi/cryptography@41.0.6
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-dzvc-j4et-ukgu
1
vulnerability VCID-jksg-v3x3-z3d3
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/cryptography@41.0.6
aliases CVE-2023-49083, GHSA-jfhm-5ghh-2f97, PYSEC-2023-254
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-n7hx-bfnn-5kgc
Fixing_vulnerabilities
0
url VCID-78m5-9977-afbh
vulnerability_id VCID-78m5-9977-afbh
summary 
Vulnerable OpenSSL included in cryptography wheels
pyca/cryptography's wheels include a statically linked copy of OpenSSL. The versions of OpenSSL included in cryptography 0.5-40.0.2 is vulnerable to a security issue. More details about the vulnerability itself can be found in https://www.openssl.org/news/secadv/20230530.txt.

If you are building cryptography source ("sdist") then you are responsible for upgrading your copy of OpenSSL. Only users installing from wheels built by the cryptography project (i.e., those distributed on PyPI) need to update their cryptography versions.
references
0
reference_url https://cryptography.io/en/latest/changelog/#v41-0-0
reference_id
reference_type
scores
url https://cryptography.io/en/latest/changelog/#v41-0-0
1
reference_url https://github.com/pyca/cryptography/commit/8708245ccdeaff21d65eea68a4f8d2a7c5949a22
reference_id
reference_type
scores
url https://github.com/pyca/cryptography/commit/8708245ccdeaff21d65eea68a4f8d2a7c5949a22
2
reference_url https://github.com/advisories/GHSA-5cpq-8wj7-hf2v
reference_id GHSA-5cpq-8wj7-hf2v
reference_type
scores
url https://github.com/advisories/GHSA-5cpq-8wj7-hf2v
3
reference_url https://github.com/pyca/cryptography/security/advisories/GHSA-5cpq-8wj7-hf2v
reference_id GHSA-5cpq-8wj7-hf2v
reference_type
scores
url https://github.com/pyca/cryptography/security/advisories/GHSA-5cpq-8wj7-hf2v
fixed_packages
0
url pkg:pypi/cryptography@41.0.0
purl pkg:pypi/cryptography@41.0.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-67ns-x8ut-cbdc
1
vulnerability VCID-dzvc-j4et-ukgu
2
vulnerability VCID-jksg-v3x3-z3d3
3
vulnerability VCID-n7hx-bfnn-5kgc
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/cryptography@41.0.0
aliases GHSA-5cpq-8wj7-hf2v, GMS-2023-1778
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-78m5-9977-afbh
Risk_scorenull
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:pypi/cryptography@41.0.0