Django REST framework

Lookup for vulnerabilities affecting packages.

Vulnerability_id VCID-s9by-79q1-27d9

Summary

Null pointer dereference in PKCS12 parsing
Issue summary: Processing a maliciously formatted PKCS12 file may lead OpenSSL
to crash leading to a potential Denial of Service attack

Impact summary: Applications loading files in the PKCS12 format from untrusted
sources might terminate abruptly.

A file in PKCS12 format can contain certificates and keys and may come from an
untrusted source. The PKCS12 specification allows certain fields to be NULL, but
OpenSSL does not correctly check for this case. This can lead to a NULL pointer
dereference that results in OpenSSL crashing. If an application processes PKCS12
files from an untrusted source using the OpenSSL APIs then that application will
be vulnerable to this issue.

OpenSSL APIs that are vulnerable to this are: PKCS12_parse(),
PKCS12_unpack_p7data(), PKCS12_unpack_p7encdata(), PKCS12_unpack_authsafes()
and PKCS12_newpass().

We have also fixed a similar issue in SMIME_write_PKCS7(). However since this
function is related to writing data we do not consider it security significant.

The FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue.

Aliases

alias	CVE-2024-0727

alias	GHSA-9v9h-cgj8-h64p

Fixed_packages

url pkg:pypi/cryptography@42.0.2

purl pkg:pypi/cryptography@42.0.2

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-dzvc-j4et-ukgu

vulnerability	VCID-jksg-v3x3-z3d3

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/cryptography@42.0.2

Affected_packages

References

reference_url	https://cert-portal.siemens.com/productcert/html/ssa-265688.html
reference_id
reference_type
scores
url	https://cert-portal.siemens.com/productcert/html/ssa-265688.html

reference_url	https://cert-portal.siemens.com/productcert/html/ssa-277137.html
reference_id
reference_type
scores
url	https://cert-portal.siemens.com/productcert/html/ssa-277137.html

reference_url	https://cert-portal.siemens.com/productcert/html/ssa-331112.html
reference_id
reference_type
scores
url	https://cert-portal.siemens.com/productcert/html/ssa-331112.html

reference_url	https://cert-portal.siemens.com/productcert/html/ssa-769027.html
reference_id
reference_type
scores
url	https://cert-portal.siemens.com/productcert/html/ssa-769027.html

reference_url	https://cert-portal.siemens.com/productcert/html/ssa-915275.html
reference_id
reference_type
scores
url	https://cert-portal.siemens.com/productcert/html/ssa-915275.html

reference_url	https://github.com/alexcrichton/openssl-src-rs/commit/add20f73b6b42be7451af2e1044d4e0e778992b2
reference_id
reference_type
scores
url	https://github.com/alexcrichton/openssl-src-rs/commit/add20f73b6b42be7451af2e1044d4e0e778992b2

reference_url	https://github.com/github/advisory-database/pull/3472
reference_id
reference_type
scores
url	https://github.com/github/advisory-database/pull/3472

reference_url	https://github.com/openssl/openssl/commit/09df4395b5071217b76dc7d3d2e630eb8c5a79c2
reference_id
reference_type
scores
url	https://github.com/openssl/openssl/commit/09df4395b5071217b76dc7d3d2e630eb8c5a79c2

reference_url	https://github.com/openssl/openssl/commit/775acfdbd0c6af9ac855f34969cdab0c0c90844a
reference_id
reference_type
scores
url	https://github.com/openssl/openssl/commit/775acfdbd0c6af9ac855f34969cdab0c0c90844a

reference_url	https://github.com/openssl/openssl/commit/d135eeab8a5dbf72b3da5240bab9ddb7678dbd2c
reference_id
reference_type
scores
url	https://github.com/openssl/openssl/commit/d135eeab8a5dbf72b3da5240bab9ddb7678dbd2c

reference_url	https://github.com/openssl/openssl/pull/23362
reference_id
reference_type
scores
url	https://github.com/openssl/openssl/pull/23362

reference_url	https://github.com/pyca/cryptography/commit/3519591d255d4506fbcd0d04037d45271903c64d
reference_id
reference_type
scores
url	https://github.com/pyca/cryptography/commit/3519591d255d4506fbcd0d04037d45271903c64d

reference_url	https://github.openssl.org/openssl/extended-releases/commit/03b3941d60c4bce58fab69a0c22377ab439bc0e8
reference_id
reference_type
scores
url	https://github.openssl.org/openssl/extended-releases/commit/03b3941d60c4bce58fab69a0c22377ab439bc0e8

reference_url	https://github.openssl.org/openssl/extended-releases/commit/aebaa5883e31122b404e450732dc833dc9dee539
reference_id
reference_type
scores
url	https://github.openssl.org/openssl/extended-releases/commit/aebaa5883e31122b404e450732dc833dc9dee539

reference_url	https://lists.debian.org/debian-lts-announce/2024/10/msg00033.html
reference_id
reference_type
scores
url	https://lists.debian.org/debian-lts-announce/2024/10/msg00033.html

reference_url	https://lists.debian.org/debian-lts-announce/2024/11/msg00000.html
reference_id
reference_type
scores
url	https://lists.debian.org/debian-lts-announce/2024/11/msg00000.html

reference_url	https://security.netapp.com/advisory/ntap-20240208-0006
reference_id
reference_type
scores
url	https://security.netapp.com/advisory/ntap-20240208-0006

reference_url	https://www.openssl.org/news/secadv/20240125.txt
reference_id
reference_type
scores
url	https://www.openssl.org/news/secadv/20240125.txt

reference_url	https://nvd.nist.gov/vuln/detail/CVE-2024-0727
reference_id	CVE-2024-0727
reference_type
scores
url	https://nvd.nist.gov/vuln/detail/CVE-2024-0727

reference_url	https://github.com/advisories/GHSA-9v9h-cgj8-h64p
reference_id	GHSA-9v9h-cgj8-h64p
reference_type
scores
url	https://github.com/advisories/GHSA-9v9h-cgj8-h64p

Weaknesses

cwe_id	476
name	NULL Pointer Dereference
description	A NULL pointer dereference occurs when the application dereferences a pointer that it expects to be valid, but is NULL, typically causing a crash or exit.

cwe_id	937
name	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
description	Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013.

cwe_id	1035
name	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
description	Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017.

Exploits

Severity_range_score null

Exploitability null

Weighted_severity null

Risk_score null

Resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-s9by-79q1-27d9

Vulnerability Instance