{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/53608?format=json","vulnerability_id":"VCID-fy6y-f41e-8qex","summary":"Vulnerable OpenSSL included in cryptography wheels\npyca/cryptography's wheels include a statically linked copy of OpenSSL. The versions of OpenSSL included in cryptography 37.0.0-38.0.3 are vulnerable to a number of security issues. More details about the vulnerabilities themselves can be found in https://www.openssl.org/news/secadv/20221101.txt.\n\nIf you are building cryptography source (\"sdist\") then you are responsible for upgrading your copy of OpenSSL. Only users installing from wheels built by the cryptography project (i.e., those distributed on PyPI) need to update their cryptography versions.","aliases":[{"alias":"GHSA-39hc-v87j-747x"},{"alias":"GMS-2022-6259"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/32003?format=json","purl":"pkg:pypi/cryptography@38.0.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-48jq-1u5d-tkan"},{"vulnerability":"VCID-4j5v-k162-tfgd"},{"vulnerability":"VCID-f44c-ygbw-bufn"},{"vulnerability":"VCID-g772-pn9e-7ufv"},{"vulnerability":"VCID-hpev-apm4-sqfw"},{"vulnerability":"VCID-npaa-km8e-f3gs"},{"vulnerability":"VCID-p5vx-kq3j-b3ds"},{"vulnerability":"VCID-r78e-t88x-a3ed"},{"vulnerability":"VCID-u4f5-k68d-wfd1"},{"vulnerability":"VCID-x2wm-3tk7-wbbv"},{"vulnerability":"VCID-x7vf-dyab-qbhq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/cryptography@38.0.3"}],"affected_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/31994?format=json","purl":"pkg:pypi/cryptography@37.0.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-48jq-1u5d-tkan"},{"vulnerability":"VCID-4j5v-k162-tfgd"},{"vulnerability":"VCID-f44c-ygbw-bufn"},{"vulnerability":"VCID-fy6y-f41e-8qex"},{"vulnerability":"VCID-hpev-apm4-sqfw"},{"vulnerability":"VCID-npaa-km8e-f3gs"},{"vulnerability":"VCID-p5vx-kq3j-b3ds"},{"vulnerability":"VCID-r78e-t88x-a3ed"},{"vulnerability":"VCID-u4f5-k68d-wfd1"},{"vulnerability":"VCID-x2wm-3tk7-wbbv"},{"vulnerability":"VCID-x7vf-dyab-qbhq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/cryptography@37.0.0"},{"url":"http://public2.vulnerablecode.io/api/packages/31996?format=json","purl":"pkg:pypi/cryptography@37.0.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-48jq-1u5d-tkan"},{"vulnerability":"VCID-4j5v-k162-tfgd"},{"vulnerability":"VCID-f44c-ygbw-bufn"},{"vulnerability":"VCID-fy6y-f41e-8qex"},{"vulnerability":"VCID-hpev-apm4-sqfw"},{"vulnerability":"VCID-npaa-km8e-f3gs"},{"vulnerability":"VCID-p5vx-kq3j-b3ds"},{"vulnerability":"VCID-r78e-t88x-a3ed"},{"vulnerability":"VCID-u4f5-k68d-wfd1"},{"vulnerability":"VCID-x2wm-3tk7-wbbv"},{"vulnerability":"VCID-x7vf-dyab-qbhq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/cryptography@37.0.1"},{"url":"http://public2.vulnerablecode.io/api/packages/31997?format=json","purl":"pkg:pypi/cryptography@37.0.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-48jq-1u5d-tkan"},{"vulnerability":"VCID-4j5v-k162-tfgd"},{"vulnerability":"VCID-f44c-ygbw-bufn"},{"vulnerability":"VCID-fy6y-f41e-8qex"},{"vulnerability":"VCID-hpev-apm4-sqfw"},{"vulnerability":"VCID-npaa-km8e-f3gs"},{"vulnerability":"VCID-p5vx-kq3j-b3ds"},{"vulnerability":"VCID-r78e-t88x-a3ed"},{"vulnerability":"VCID-u4f5-k68d-wfd1"},{"vulnerability":"VCID-x2wm-3tk7-wbbv"},{"vulnerability":"VCID-x7vf-dyab-qbhq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/cryptography@37.0.2"},{"url":"http://public2.vulnerablecode.io/api/packages/31998?format=json","purl":"pkg:pypi/cryptography@37.0.3","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-48jq-1u5d-tkan"},{"vulnerability":"VCID-4j5v-k162-tfgd"},{"vulnerability":"VCID-f44c-ygbw-bufn"},{"vulnerability":"VCID-fy6y-f41e-8qex"},{"vulnerability":"VCID-hpev-apm4-sqfw"},{"vulnerability":"VCID-npaa-km8e-f3gs"},{"vulnerability":"VCID-p5vx-kq3j-b3ds"},{"vulnerability":"VCID-r78e-t88x-a3ed"},{"vulnerability":"VCID-u4f5-k68d-wfd1"},{"vulnerability":"VCID-x2wm-3tk7-wbbv"},{"vulnerability":"VCID-x7vf-dyab-qbhq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/cryptography@37.0.3"},{"url":"http://public2.vulnerablecode.io/api/packages/31999?format=json","purl":"pkg:pypi/cryptography@37.0.4","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-48jq-1u5d-tkan"},{"vulnerability":"VCID-4j5v-k162-tfgd"},{"vulnerability":"VCID-f44c-ygbw-bufn"},{"vulnerability":"VCID-fy6y-f41e-8qex"},{"vulnerability":"VCID-hpev-apm4-sqfw"},{"vulnerability":"VCID-npaa-km8e-f3gs"},{"vulnerability":"VCID-p5vx-kq3j-b3ds"},{"vulnerability":"VCID-r78e-t88x-a3ed"},{"vulnerability":"VCID-u4f5-k68d-wfd1"},{"vulnerability":"VCID-x2wm-3tk7-wbbv"},{"vulnerability":"VCID-x7vf-dyab-qbhq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/cryptography@37.0.4"},{"url":"http://public2.vulnerablecode.io/api/packages/32000?format=json","purl":"pkg:pypi/cryptography@38.0.0","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-48jq-1u5d-tkan"},{"vulnerability":"VCID-4j5v-k162-tfgd"},{"vulnerability":"VCID-f44c-ygbw-bufn"},{"vulnerability":"VCID-fy6y-f41e-8qex"},{"vulnerability":"VCID-g772-pn9e-7ufv"},{"vulnerability":"VCID-hpev-apm4-sqfw"},{"vulnerability":"VCID-npaa-km8e-f3gs"},{"vulnerability":"VCID-p5vx-kq3j-b3ds"},{"vulnerability":"VCID-r78e-t88x-a3ed"},{"vulnerability":"VCID-u4f5-k68d-wfd1"},{"vulnerability":"VCID-x2wm-3tk7-wbbv"},{"vulnerability":"VCID-x7vf-dyab-qbhq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/cryptography@38.0.0"},{"url":"http://public2.vulnerablecode.io/api/packages/32001?format=json","purl":"pkg:pypi/cryptography@38.0.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-48jq-1u5d-tkan"},{"vulnerability":"VCID-4j5v-k162-tfgd"},{"vulnerability":"VCID-f44c-ygbw-bufn"},{"vulnerability":"VCID-fy6y-f41e-8qex"},{"vulnerability":"VCID-g772-pn9e-7ufv"},{"vulnerability":"VCID-hpev-apm4-sqfw"},{"vulnerability":"VCID-npaa-km8e-f3gs"},{"vulnerability":"VCID-p5vx-kq3j-b3ds"},{"vulnerability":"VCID-r78e-t88x-a3ed"},{"vulnerability":"VCID-u4f5-k68d-wfd1"},{"vulnerability":"VCID-x2wm-3tk7-wbbv"},{"vulnerability":"VCID-x7vf-dyab-qbhq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/cryptography@38.0.1"},{"url":"http://public2.vulnerablecode.io/api/packages/32002?format=json","purl":"pkg:pypi/cryptography@38.0.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-48jq-1u5d-tkan"},{"vulnerability":"VCID-4j5v-k162-tfgd"},{"vulnerability":"VCID-f44c-ygbw-bufn"},{"vulnerability":"VCID-fy6y-f41e-8qex"},{"vulnerability":"VCID-g772-pn9e-7ufv"},{"vulnerability":"VCID-hpev-apm4-sqfw"},{"vulnerability":"VCID-npaa-km8e-f3gs"},{"vulnerability":"VCID-p5vx-kq3j-b3ds"},{"vulnerability":"VCID-r78e-t88x-a3ed"},{"vulnerability":"VCID-u4f5-k68d-wfd1"},{"vulnerability":"VCID-x2wm-3tk7-wbbv"},{"vulnerability":"VCID-x7vf-dyab-qbhq"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/cryptography@38.0.2"}],"references":[{"reference_url":"https://github.com/pyca/cryptography","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pyca/cryptography"},{"reference_url":"https://github.com/pyca/cryptography/commit/382e759bcded5773330eeed748c86b213ec618c5","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pyca/cryptography/commit/382e759bcded5773330eeed748c86b213ec618c5"},{"reference_url":"https://github.com/pyca/cryptography/commit/cf2ada625d1188d6cd46396f301b98095da577f7","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pyca/cryptography/commit/cf2ada625d1188d6cd46396f301b98095da577f7"},{"reference_url":"https://github.com/pyca/cryptography/security/advisories/GHSA-39hc-v87j-747x","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pyca/cryptography/security/advisories/GHSA-39hc-v87j-747x"},{"reference_url":"https://github.com/advisories/GHSA-39hc-v87j-747x","reference_id":"GHSA-39hc-v87j-747x","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-39hc-v87j-747x"}],"weaknesses":[{"cwe_id":1035,"name":"OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities","description":"Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017."},{"cwe_id":937,"name":"OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities","description":"Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013."}],"exploits":[],"severity_range_score":"4.0 - 6.9","exploitability":"0.5","weighted_severity":"6.2","risk_score":3.1,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-fy6y-f41e-8qex"}