{"url":"http://public2.vulnerablecode.io/api/packages/19868?format=json","purl":"pkg:pypi/cryptography@3.3.2","type":"pypi","namespace":"","name":"cryptography","version":"3.3.2","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"46.0.7","latest_non_vulnerable_version":"46.0.7","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/37258?format=json","vulnerability_id":"VCID-jksg-v3x3-z3d3","summary":"cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Prior to version 46.0.6, DNS name constraints were only validated against SANs within child certificates, and not the \"peer name\" presented during each validation. Consequently, cryptography would allow a peer named bar.example.com to validate against a wildcard leaf certificate for *.example.com, even if the leaf's parent certificate (or upwards) contained an excluded subtree constraint for bar.example.com. This issue has been patched in version 46.0.6.","references":[{"reference_url":"https://github.com/pyca/cryptography/security/advisories/GHSA-m959-cc7f-wv43","reference_id":"","reference_type":"","scores":[{"value":"5.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}],"url":"https://github.com/pyca/cryptography/security/advisories/GHSA-m959-cc7f-wv43"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/49105?format=json","purl":"pkg:pypi/cryptography@46.0.6","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-z9ad-ts2t-1bdj"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/cryptography@46.0.6"}],"aliases":["CVE-2026-34073","GHSA-m959-cc7f-wv43","PYSEC-2026-35"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-jksg-v3x3-z3d3"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/36625?format=json","vulnerability_id":"VCID-n7hx-bfnn-5kgc","summary":"cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Calling `load_pem_pkcs7_certificates` or `load_der_pkcs7_certificates` could lead to a NULL-pointer dereference and segfault. Exploitation of this vulnerability poses a serious risk of Denial of Service (DoS) for any application attempting to deserialize a PKCS7 blob/certificate. The consequences extend to potential disruptions in system availability and stability. This vulnerability has been patched in version 41.0.6.","references":[{"reference_url":"https://github.com/pyca/cryptography","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/pyca/cryptography"},{"reference_url":"https://github.com/pyca/cryptography/commit/f09c261ca10a31fe41b1262306db7f8f1da0e48a","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://github.com/pyca/cryptography/commit/f09c261ca10a31fe41b1262306db7f8f1da0e48a"},{"reference_url":"https://github.com/pyca/cryptography/pull/9926","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://github.com/pyca/cryptography/pull/9926"},{"reference_url":"https://github.com/pyca/cryptography/security/advisories/GHSA-jfhm-5ghh-2f97","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://github.com/pyca/cryptography/security/advisories/GHSA-jfhm-5ghh-2f97"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/cryptography/PYSEC-2023-254.yaml","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/cryptography/PYSEC-2023-254.yaml"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2024/10/msg00012.html","reference_id":"","reference_type":"","scores":[],"url":"https://lists.debian.org/debian-lts-announce/2024/10/msg00012.html"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QMNTYMUGFJSDBYBU22FUYBHFRZODRKXV","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QMNTYMUGFJSDBYBU22FUYBHFRZODRKXV"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QMNTYMUGFJSDBYBU22FUYBHFRZODRKXV/","reference_id":"","reference_type":"","scores":[{"value":"7.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QMNTYMUGFJSDBYBU22FUYBHFRZODRKXV/"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-49083","reference_id":"CVE-2023-49083","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-49083"},{"reference_url":"https://github.com/advisories/GHSA-jfhm-5ghh-2f97","reference_id":"GHSA-jfhm-5ghh-2f97","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-jfhm-5ghh-2f97"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/38140?format=json","purl":"pkg:pypi/cryptography@41.0.6","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-dzvc-j4et-ukgu"},{"vulnerability":"VCID-jksg-v3x3-z3d3"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/cryptography@41.0.6"}],"aliases":["CVE-2023-49083","GHSA-jfhm-5ghh-2f97","PYSEC-2023-254"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-n7hx-bfnn-5kgc"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/36373?format=json","vulnerability_id":"VCID-u2xn-x2tc-jbd6","summary":"cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. In affected versions `Cipher.update_into` would accept Python objects which implement the buffer protocol, but provide only immutable buffers. This would allow immutable objects (such as `bytes`) to be mutated, thus violating fundamental rules of Python and resulting in corrupted output. This now correctly raises an exception. This issue has been present since `update_into` was originally introduced in cryptography 1.8.","references":[{"reference_url":"https://github.com/pyca/cryptography","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/pyca/cryptography"},{"reference_url":"https://github.com/pyca/cryptography/commit/d6951dca25de45abd52da51b608055371fbcde4e","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/pyca/cryptography/commit/d6951dca25de45abd52da51b608055371fbcde4e"},{"reference_url":"https://github.com/pyca/cryptography/pull/8230","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/pyca/cryptography/pull/8230"},{"reference_url":"https://github.com/pyca/cryptography/pull/8230/commits/94a50a9731f35405f0357fa5f3b177d46a726ab3","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/pyca/cryptography/pull/8230/commits/94a50a9731f35405f0357fa5f3b177d46a726ab3"},{"reference_url":"https://github.com/pyca/cryptography/security/advisories/GHSA-w7pp-m8wf-vj6r","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/pyca/cryptography/security/advisories/GHSA-w7pp-m8wf-vj6r"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/cryptography/PYSEC-2023-11.yaml","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/cryptography/PYSEC-2023-11.yaml"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2024/10/msg00012.html","reference_id":"","reference_type":"","scores":[],"url":"https://lists.debian.org/debian-lts-announce/2024/10/msg00012.html"},{"reference_url":"https://security.netapp.com/advisory/ntap-20230324-0007","reference_id":"","reference_type":"","scores":[],"url":"https://security.netapp.com/advisory/ntap-20230324-0007"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-23931","reference_id":"CVE-2023-23931","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-23931"},{"reference_url":"https://github.com/advisories/GHSA-w7pp-m8wf-vj6r","reference_id":"GHSA-w7pp-m8wf-vj6r","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-w7pp-m8wf-vj6r"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/31338?format=json","purl":"pkg:pypi/cryptography@39.0.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-dzvc-j4et-ukgu"},{"vulnerability":"VCID-jksg-v3x3-z3d3"},{"vulnerability":"VCID-n7hx-bfnn-5kgc"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/cryptography@39.0.1"}],"aliases":["CVE-2023-23931","GHSA-w7pp-m8wf-vj6r","PYSEC-2023-11"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-u2xn-x2tc-jbd6"}],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/35719?format=json","vulnerability_id":"VCID-ra23-bf9w-2ugf","summary":"In the cryptography package before 3.3.2 for Python, certain sequences of update calls to symmetrically encrypt multi-GB values could result in an integer overflow and buffer overflow, as demonstrated by the Fernet class.","references":[{"reference_url":"https://github.com/advisories/GHSA-rhm9-p9w5-fwm7","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-rhm9-p9w5-fwm7"},{"reference_url":"https://github.com/pyca/cryptography/blob/master/CHANGELOG.rst","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/pyca/cryptography/blob/master/CHANGELOG.rst"},{"reference_url":"https://github.com/pyca/cryptography/compare/3.3.1...3.3.2","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/pyca/cryptography/compare/3.3.1...3.3.2"},{"reference_url":"https://github.com/pyca/cryptography/issues/5615","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/pyca/cryptography/issues/5615"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L7RGQLK4J5ZQFRLKCHVVG6BKZTUQMG7E/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L7RGQLK4J5ZQFRLKCHVVG6BKZTUQMG7E/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/19868?format=json","purl":"pkg:pypi/cryptography@3.3.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-jksg-v3x3-z3d3"},{"vulnerability":"VCID-n7hx-bfnn-5kgc"},{"vulnerability":"VCID-u2xn-x2tc-jbd6"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/cryptography@3.3.2"}],"aliases":["CVE-2020-36242","GHSA-rhm9-p9w5-fwm7","PYSEC-2021-63"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ra23-bf9w-2ugf"}],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/cryptography@3.3.2"}