VulnerableCode Vulnerability Details

Search for vulnerabilities

Vulnerability details: VCID-uvg4-qjhy-aaaq

Essentials
Severities (105)
References (25)
Severity details (20)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-uvg4-qjhy-aaaq
Aliases	CVE-2023-49083 GHSA-jfhm-5ghh-2f97 PYSEC-2023-254
Summary	cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Calling `load_pem_pkcs7_certificates` or `load_der_pkcs7_certificates` could lead to a NULL-pointer dereference and segfault. Exploitation of this vulnerability poses a serious risk of Denial of Service (DoS) for any application attempting to deserialize a PKCS7 blob/certificate. The consequences extend to potential disruptions in system availability and stability. This vulnerability has been patched in version 41.0.6.
Status	Published
Exploitability	0.5
Weighted Severity	8.0
Risk	4.0
Affected and Fixed Packages	Package Details

Weaknesses (3)

CWE-476	NULL Pointer Dereference
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
cvssv3	7.5	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-49083.json
epss	0.00068	https://api.first.org/data/v1/epss?cve=CVE-2023-49083
epss	0.00068	https://api.first.org/data/v1/epss?cve=CVE-2023-49083
epss	0.00068	https://api.first.org/data/v1/epss?cve=CVE-2023-49083
epss	0.00068	https://api.first.org/data/v1/epss?cve=CVE-2023-49083
epss	0.00068	https://api.first.org/data/v1/epss?cve=CVE-2023-49083
epss	0.00068	https://api.first.org/data/v1/epss?cve=CVE-2023-49083
epss	0.00068	https://api.first.org/data/v1/epss?cve=CVE-2023-49083
epss	0.00068	https://api.first.org/data/v1/epss?cve=CVE-2023-49083
epss	0.00068	https://api.first.org/data/v1/epss?cve=CVE-2023-49083
epss	0.00081	https://api.first.org/data/v1/epss?cve=CVE-2023-49083
epss	0.00081	https://api.first.org/data/v1/epss?cve=CVE-2023-49083
epss	0.00081	https://api.first.org/data/v1/epss?cve=CVE-2023-49083
epss	0.00081	https://api.first.org/data/v1/epss?cve=CVE-2023-49083
epss	0.00081	https://api.first.org/data/v1/epss?cve=CVE-2023-49083
epss	0.00081	https://api.first.org/data/v1/epss?cve=CVE-2023-49083
epss	0.00092	https://api.first.org/data/v1/epss?cve=CVE-2023-49083
epss	0.00445	https://api.first.org/data/v1/epss?cve=CVE-2023-49083
epss	0.00445	https://api.first.org/data/v1/epss?cve=CVE-2023-49083
epss	0.00445	https://api.first.org/data/v1/epss?cve=CVE-2023-49083
epss	0.00445	https://api.first.org/data/v1/epss?cve=CVE-2023-49083
epss	0.00445	https://api.first.org/data/v1/epss?cve=CVE-2023-49083
epss	0.00445	https://api.first.org/data/v1/epss?cve=CVE-2023-49083
epss	0.00445	https://api.first.org/data/v1/epss?cve=CVE-2023-49083
epss	0.00445	https://api.first.org/data/v1/epss?cve=CVE-2023-49083
epss	0.00445	https://api.first.org/data/v1/epss?cve=CVE-2023-49083
epss	0.00445	https://api.first.org/data/v1/epss?cve=CVE-2023-49083
epss	0.00445	https://api.first.org/data/v1/epss?cve=CVE-2023-49083
epss	0.00445	https://api.first.org/data/v1/epss?cve=CVE-2023-49083
epss	0.00445	https://api.first.org/data/v1/epss?cve=CVE-2023-49083
epss	0.00445	https://api.first.org/data/v1/epss?cve=CVE-2023-49083
epss	0.00445	https://api.first.org/data/v1/epss?cve=CVE-2023-49083
epss	0.00445	https://api.first.org/data/v1/epss?cve=CVE-2023-49083
epss	0.00445	https://api.first.org/data/v1/epss?cve=CVE-2023-49083
epss	0.00445	https://api.first.org/data/v1/epss?cve=CVE-2023-49083
epss	0.00445	https://api.first.org/data/v1/epss?cve=CVE-2023-49083
epss	0.00445	https://api.first.org/data/v1/epss?cve=CVE-2023-49083
epss	0.00445	https://api.first.org/data/v1/epss?cve=CVE-2023-49083
epss	0.00445	https://api.first.org/data/v1/epss?cve=CVE-2023-49083
epss	0.00445	https://api.first.org/data/v1/epss?cve=CVE-2023-49083
epss	0.00445	https://api.first.org/data/v1/epss?cve=CVE-2023-49083
epss	0.00445	https://api.first.org/data/v1/epss?cve=CVE-2023-49083
epss	0.00445	https://api.first.org/data/v1/epss?cve=CVE-2023-49083
epss	0.00445	https://api.first.org/data/v1/epss?cve=CVE-2023-49083
epss	0.00445	https://api.first.org/data/v1/epss?cve=CVE-2023-49083
epss	0.00445	https://api.first.org/data/v1/epss?cve=CVE-2023-49083
epss	0.00445	https://api.first.org/data/v1/epss?cve=CVE-2023-49083
epss	0.00445	https://api.first.org/data/v1/epss?cve=CVE-2023-49083
epss	0.00445	https://api.first.org/data/v1/epss?cve=CVE-2023-49083
epss	0.00457	https://api.first.org/data/v1/epss?cve=CVE-2023-49083
epss	0.00457	https://api.first.org/data/v1/epss?cve=CVE-2023-49083
epss	0.00457	https://api.first.org/data/v1/epss?cve=CVE-2023-49083
epss	0.00457	https://api.first.org/data/v1/epss?cve=CVE-2023-49083
epss	0.00457	https://api.first.org/data/v1/epss?cve=CVE-2023-49083
epss	0.00457	https://api.first.org/data/v1/epss?cve=CVE-2023-49083
epss	0.00457	https://api.first.org/data/v1/epss?cve=CVE-2023-49083
epss	0.00457	https://api.first.org/data/v1/epss?cve=CVE-2023-49083
epss	0.00457	https://api.first.org/data/v1/epss?cve=CVE-2023-49083
epss	0.00457	https://api.first.org/data/v1/epss?cve=CVE-2023-49083
epss	0.00457	https://api.first.org/data/v1/epss?cve=CVE-2023-49083
epss	0.00457	https://api.first.org/data/v1/epss?cve=CVE-2023-49083
epss	0.00457	https://api.first.org/data/v1/epss?cve=CVE-2023-49083
epss	0.00457	https://api.first.org/data/v1/epss?cve=CVE-2023-49083
epss	0.00457	https://api.first.org/data/v1/epss?cve=CVE-2023-49083
epss	0.00457	https://api.first.org/data/v1/epss?cve=CVE-2023-49083
epss	0.00457	https://api.first.org/data/v1/epss?cve=CVE-2023-49083
epss	0.00457	https://api.first.org/data/v1/epss?cve=CVE-2023-49083
epss	0.00457	https://api.first.org/data/v1/epss?cve=CVE-2023-49083
epss	0.00457	https://api.first.org/data/v1/epss?cve=CVE-2023-49083
epss	0.00457	https://api.first.org/data/v1/epss?cve=CVE-2023-49083
epss	0.00457	https://api.first.org/data/v1/epss?cve=CVE-2023-49083
epss	0.00457	https://api.first.org/data/v1/epss?cve=CVE-2023-49083
epss	0.0057	https://api.first.org/data/v1/epss?cve=CVE-2023-49083
epss	0.0057	https://api.first.org/data/v1/epss?cve=CVE-2023-49083
epss	0.0057	https://api.first.org/data/v1/epss?cve=CVE-2023-49083
epss	0.0057	https://api.first.org/data/v1/epss?cve=CVE-2023-49083
epss	0.0057	https://api.first.org/data/v1/epss?cve=CVE-2023-49083
epss	0.0057	https://api.first.org/data/v1/epss?cve=CVE-2023-49083
epss	0.0057	https://api.first.org/data/v1/epss?cve=CVE-2023-49083
epss	0.0057	https://api.first.org/data/v1/epss?cve=CVE-2023-49083
epss	0.0057	https://api.first.org/data/v1/epss?cve=CVE-2023-49083
epss	0.0057	https://api.first.org/data/v1/epss?cve=CVE-2023-49083
epss	0.0057	https://api.first.org/data/v1/epss?cve=CVE-2023-49083
epss	0.0057	https://api.first.org/data/v1/epss?cve=CVE-2023-49083
epss	0.0057	https://api.first.org/data/v1/epss?cve=CVE-2023-49083
epss	0.01923	https://api.first.org/data/v1/epss?cve=CVE-2023-49083
cvssv3.1	5.5	https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1_qr	MODERATE	https://github.com/advisories/GHSA-jfhm-5ghh-2f97
cvssv3.1	7.5	https://github.com/pyca/cryptography
generic_textual	HIGH	https://github.com/pyca/cryptography
cvssv3.1	5.9	https://github.com/pyca/cryptography/commit/f09c261ca10a31fe41b1262306db7f8f1da0e48a
generic_textual	MODERATE	https://github.com/pyca/cryptography/commit/f09c261ca10a31fe41b1262306db7f8f1da0e48a
cvssv3.1	5.9	https://github.com/pyca/cryptography/pull/9926
generic_textual	MODERATE	https://github.com/pyca/cryptography/pull/9926
cvssv3.1	5.9	https://github.com/pyca/cryptography/security/advisories/GHSA-jfhm-5ghh-2f97
generic_textual	MODERATE	https://github.com/pyca/cryptography/security/advisories/GHSA-jfhm-5ghh-2f97
cvssv3.1	5.9	https://github.com/pypa/advisory-database/tree/main/vulns/cryptography/PYSEC-2023-254.yaml
generic_textual	MODERATE	https://github.com/pypa/advisory-database/tree/main/vulns/cryptography/PYSEC-2023-254.yaml
cvssv3.1	5.9	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QMNTYMUGFJSDBYBU22FUYBHFRZODRKXV
generic_textual	MODERATE	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QMNTYMUGFJSDBYBU22FUYBHFRZODRKXV
cvssv3.1	7.5	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QMNTYMUGFJSDBYBU22FUYBHFRZODRKXV/
cvssv3	7.5	https://nvd.nist.gov/vuln/detail/CVE-2023-49083
cvssv3.1	7.5	https://nvd.nist.gov/vuln/detail/CVE-2023-49083
cvssv3.1	5.9	http://www.openwall.com/lists/oss-security/2023/11/29/2
generic_textual	MODERATE	http://www.openwall.com/lists/oss-security/2023/11/29/2

Reference id	Reference type	URL
		https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-49083.json
		https://api.first.org/data/v1/epss?cve=CVE-2023-49083
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-49083
		https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
		https://github.com/pyca/cryptography
		https://github.com/pyca/cryptography/commit/f09c261ca10a31fe41b1262306db7f8f1da0e48a
		https://github.com/pyca/cryptography/pull/9926
		https://github.com/pyca/cryptography/security/advisories/GHSA-jfhm-5ghh-2f97
		https://github.com/pypa/advisory-database/tree/main/vulns/cryptography/PYSEC-2023-254.yaml
		https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QMNTYMUGFJSDBYBU22FUYBHFRZODRKXV
		https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QMNTYMUGFJSDBYBU22FUYBHFRZODRKXV/
		http://www.openwall.com/lists/oss-security/2023/11/29/2
1057108		https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1057108
2255331		https://bugzilla.redhat.com/show_bug.cgi?id=2255331
cpe:2.3:a:cryptography.io:cryptography::::::python::*		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:cryptography.io:cryptography::::::python::*
cpe:2.3:a:cryptography_project:cryptography::::::python::*		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:cryptography_project:cryptography::::::python::*
CVE-2023-49083		https://nvd.nist.gov/vuln/detail/CVE-2023-49083
GHSA-jfhm-5ghh-2f97		https://github.com/advisories/GHSA-jfhm-5ghh-2f97
GLSA-202407-06		https://security.gentoo.org/glsa/202407-06
RHSA-2024:10965		https://access.redhat.com/errata/RHSA-2024:10965
RHSA-2024:1878		https://access.redhat.com/errata/RHSA-2024:1878
RHSA-2024:2337		https://access.redhat.com/errata/RHSA-2024:2337
RHSA-2024:3105		https://access.redhat.com/errata/RHSA-2024:3105
RHSA-2024:3781		https://access.redhat.com/errata/RHSA-2024:3781
USN-6539-1		https://usn.ubuntu.com/6539-1/

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-49083.json

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/pyca/cryptography

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/pyca/cryptography/commit/f09c261ca10a31fe41b1262306db7f8f1da0e48a

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/pyca/cryptography/pull/9926

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/pyca/cryptography/security/advisories/GHSA-jfhm-5ghh-2f97

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/pypa/advisory-database/tree/main/vulns/cryptography/PYSEC-2023-254.yaml

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QMNTYMUGFJSDBYBU22FUYBHFRZODRKXV

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QMNTYMUGFJSDBYBU22FUYBHFRZODRKXV/

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2023-49083

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2023-49083

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H Found at http://www.openwall.com/lists/oss-security/2023/11/29/2

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.30901
EPSS Score	0.00068
Published At	Nov. 1, 2024, midnight

Date	Actor	Action	Source	VulnerableCode Version
2024-01-03T17:14:07.794355+00:00	NVD Importer	Import	https://nvd.nist.gov/vuln/detail/CVE-2023-49083	34.0.0rc1