VulnerableCode Vulnerability Details

Search for vulnerabilities

Vulnerability details: VCID-wmwm-snjw-aaam

Essentials
Severities (102)
References (20)
Severity details (17)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-wmwm-snjw-aaam
Aliases	CGA-f4qg-9fw4-8247 CVE-2024-26130 GHSA-6vqw-3v5j-54x4 PYSEC-2024-225
Summary	cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Starting in version 38.0.0 and prior to version 42.0.4, if `pkcs12.serialize_key_and_certificates` is called with both a certificate whose public key did not match the provided private key and an `encryption_algorithm` with `hmac_hash` set (via `PrivateFormat.PKCS12.encryption_builder().hmac_hash(...)`, then a NULL pointer dereference would occur, crashing the Python process. This has been resolved in version 42.0.4, the first version in which a `ValueError` is properly raised.
Status	Published
Exploitability	0.5
Weighted Severity	8.0
Risk	4.0
Affected and Fixed Packages	Package Details

Weaknesses (3)

CWE-476	NULL Pointer Dereference
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
cvssv3	7.5	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-26130.json
epss	0.00045	https://api.first.org/data/v1/epss?cve=CVE-2024-26130
epss	0.00045	https://api.first.org/data/v1/epss?cve=CVE-2024-26130
epss	0.00045	https://api.first.org/data/v1/epss?cve=CVE-2024-26130
epss	0.00045	https://api.first.org/data/v1/epss?cve=CVE-2024-26130
epss	0.00045	https://api.first.org/data/v1/epss?cve=CVE-2024-26130
epss	0.00045	https://api.first.org/data/v1/epss?cve=CVE-2024-26130
epss	0.00045	https://api.first.org/data/v1/epss?cve=CVE-2024-26130
epss	0.00045	https://api.first.org/data/v1/epss?cve=CVE-2024-26130
epss	0.00045	https://api.first.org/data/v1/epss?cve=CVE-2024-26130
epss	0.00045	https://api.first.org/data/v1/epss?cve=CVE-2024-26130
epss	0.00045	https://api.first.org/data/v1/epss?cve=CVE-2024-26130
epss	0.00045	https://api.first.org/data/v1/epss?cve=CVE-2024-26130
epss	0.00045	https://api.first.org/data/v1/epss?cve=CVE-2024-26130
epss	0.00045	https://api.first.org/data/v1/epss?cve=CVE-2024-26130
epss	0.00045	https://api.first.org/data/v1/epss?cve=CVE-2024-26130
epss	0.00045	https://api.first.org/data/v1/epss?cve=CVE-2024-26130
epss	0.00232	https://api.first.org/data/v1/epss?cve=CVE-2024-26130
epss	0.00232	https://api.first.org/data/v1/epss?cve=CVE-2024-26130
epss	0.00232	https://api.first.org/data/v1/epss?cve=CVE-2024-26130
epss	0.00232	https://api.first.org/data/v1/epss?cve=CVE-2024-26130
epss	0.00232	https://api.first.org/data/v1/epss?cve=CVE-2024-26130
epss	0.00232	https://api.first.org/data/v1/epss?cve=CVE-2024-26130
epss	0.00232	https://api.first.org/data/v1/epss?cve=CVE-2024-26130
epss	0.00232	https://api.first.org/data/v1/epss?cve=CVE-2024-26130
epss	0.00232	https://api.first.org/data/v1/epss?cve=CVE-2024-26130
epss	0.00232	https://api.first.org/data/v1/epss?cve=CVE-2024-26130
epss	0.00232	https://api.first.org/data/v1/epss?cve=CVE-2024-26130
epss	0.00232	https://api.first.org/data/v1/epss?cve=CVE-2024-26130
epss	0.00232	https://api.first.org/data/v1/epss?cve=CVE-2024-26130
epss	0.00232	https://api.first.org/data/v1/epss?cve=CVE-2024-26130
epss	0.00257	https://api.first.org/data/v1/epss?cve=CVE-2024-26130
epss	0.00257	https://api.first.org/data/v1/epss?cve=CVE-2024-26130
epss	0.00257	https://api.first.org/data/v1/epss?cve=CVE-2024-26130
epss	0.00257	https://api.first.org/data/v1/epss?cve=CVE-2024-26130
epss	0.00257	https://api.first.org/data/v1/epss?cve=CVE-2024-26130
epss	0.00257	https://api.first.org/data/v1/epss?cve=CVE-2024-26130
epss	0.00257	https://api.first.org/data/v1/epss?cve=CVE-2024-26130
epss	0.00257	https://api.first.org/data/v1/epss?cve=CVE-2024-26130
epss	0.00257	https://api.first.org/data/v1/epss?cve=CVE-2024-26130
epss	0.00257	https://api.first.org/data/v1/epss?cve=CVE-2024-26130
epss	0.00257	https://api.first.org/data/v1/epss?cve=CVE-2024-26130
epss	0.00257	https://api.first.org/data/v1/epss?cve=CVE-2024-26130
epss	0.00257	https://api.first.org/data/v1/epss?cve=CVE-2024-26130
epss	0.00257	https://api.first.org/data/v1/epss?cve=CVE-2024-26130
epss	0.00257	https://api.first.org/data/v1/epss?cve=CVE-2024-26130
epss	0.00257	https://api.first.org/data/v1/epss?cve=CVE-2024-26130
epss	0.00257	https://api.first.org/data/v1/epss?cve=CVE-2024-26130
epss	0.00257	https://api.first.org/data/v1/epss?cve=CVE-2024-26130
epss	0.00257	https://api.first.org/data/v1/epss?cve=CVE-2024-26130
epss	0.00257	https://api.first.org/data/v1/epss?cve=CVE-2024-26130
epss	0.00257	https://api.first.org/data/v1/epss?cve=CVE-2024-26130
epss	0.00257	https://api.first.org/data/v1/epss?cve=CVE-2024-26130
epss	0.00257	https://api.first.org/data/v1/epss?cve=CVE-2024-26130
epss	0.00257	https://api.first.org/data/v1/epss?cve=CVE-2024-26130
epss	0.00257	https://api.first.org/data/v1/epss?cve=CVE-2024-26130
epss	0.00257	https://api.first.org/data/v1/epss?cve=CVE-2024-26130
epss	0.00257	https://api.first.org/data/v1/epss?cve=CVE-2024-26130
epss	0.00257	https://api.first.org/data/v1/epss?cve=CVE-2024-26130
epss	0.00257	https://api.first.org/data/v1/epss?cve=CVE-2024-26130
epss	0.00257	https://api.first.org/data/v1/epss?cve=CVE-2024-26130
epss	0.00257	https://api.first.org/data/v1/epss?cve=CVE-2024-26130
epss	0.00257	https://api.first.org/data/v1/epss?cve=CVE-2024-26130
epss	0.00257	https://api.first.org/data/v1/epss?cve=CVE-2024-26130
epss	0.00257	https://api.first.org/data/v1/epss?cve=CVE-2024-26130
epss	0.00257	https://api.first.org/data/v1/epss?cve=CVE-2024-26130
epss	0.00257	https://api.first.org/data/v1/epss?cve=CVE-2024-26130
epss	0.00257	https://api.first.org/data/v1/epss?cve=CVE-2024-26130
epss	0.00257	https://api.first.org/data/v1/epss?cve=CVE-2024-26130
epss	0.00257	https://api.first.org/data/v1/epss?cve=CVE-2024-26130
epss	0.00257	https://api.first.org/data/v1/epss?cve=CVE-2024-26130
epss	0.00257	https://api.first.org/data/v1/epss?cve=CVE-2024-26130
epss	0.00257	https://api.first.org/data/v1/epss?cve=CVE-2024-26130
epss	0.00257	https://api.first.org/data/v1/epss?cve=CVE-2024-26130
epss	0.00257	https://api.first.org/data/v1/epss?cve=CVE-2024-26130
epss	0.00257	https://api.first.org/data/v1/epss?cve=CVE-2024-26130
epss	0.00257	https://api.first.org/data/v1/epss?cve=CVE-2024-26130
epss	0.00257	https://api.first.org/data/v1/epss?cve=CVE-2024-26130
epss	0.00257	https://api.first.org/data/v1/epss?cve=CVE-2024-26130
epss	0.00257	https://api.first.org/data/v1/epss?cve=CVE-2024-26130
epss	0.00257	https://api.first.org/data/v1/epss?cve=CVE-2024-26130
epss	0.00257	https://api.first.org/data/v1/epss?cve=CVE-2024-26130
epss	0.00257	https://api.first.org/data/v1/epss?cve=CVE-2024-26130
epss	0.00257	https://api.first.org/data/v1/epss?cve=CVE-2024-26130
epss	0.00264	https://api.first.org/data/v1/epss?cve=CVE-2024-26130
epss	0.00792	https://api.first.org/data/v1/epss?cve=CVE-2024-26130
cvssv3.1	6.2	https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1_qr	HIGH	https://github.com/advisories/GHSA-6vqw-3v5j-54x4
cvssv3.1	7.5	https://github.com/pyca/cryptography
generic_textual	HIGH	https://github.com/pyca/cryptography
cvssv3.1	7.5	https://github.com/pyca/cryptography/commit/97d231672763cdb5959a3b191e692a362f1b9e55
generic_textual	HIGH	https://github.com/pyca/cryptography/commit/97d231672763cdb5959a3b191e692a362f1b9e55
cvssv3.1	7.5	https://github.com/pyca/cryptography/pull/10423
generic_textual	HIGH	https://github.com/pyca/cryptography/pull/10423
cvssv3.1	7.5	https://github.com/pyca/cryptography/security/advisories/GHSA-6vqw-3v5j-54x4
cvssv3.1_qr	HIGH	https://github.com/pyca/cryptography/security/advisories/GHSA-6vqw-3v5j-54x4
cvssv3.1_qr	HIGH	https://github.com/pyca/cryptography/security/advisories/GHSA-6vqw-3v5j-54x4
generic_textual	HIGH	https://github.com/pyca/cryptography/security/advisories/GHSA-6vqw-3v5j-54x4
cvssv3.1	7.5	https://github.com/pypa/advisory-database/tree/main/vulns/cryptography/PYSEC-2024-225.yaml
generic_textual	HIGH	https://github.com/pypa/advisory-database/tree/main/vulns/cryptography/PYSEC-2024-225.yaml
cvssv3.1	7.5	https://nvd.nist.gov/vuln/detail/CVE-2024-26130
generic_textual	HIGH	https://nvd.nist.gov/vuln/detail/CVE-2024-26130

Reference id	Reference type	URL
		https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-26130.json
		https://api.first.org/data/v1/epss?cve=CVE-2024-26130
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-26130
		https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
		https://github.com/pyca/cryptography
		https://github.com/pyca/cryptography/commit/97d231672763cdb5959a3b191e692a362f1b9e55
		https://github.com/pyca/cryptography/pull/10423
		https://github.com/pyca/cryptography/security/advisories/GHSA-6vqw-3v5j-54x4
		https://github.com/pypa/advisory-database/tree/main/vulns/cryptography/PYSEC-2024-225.yaml
1064778		https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1064778
2269617		https://bugzilla.redhat.com/show_bug.cgi?id=2269617
cpe:2.3:a:cryptography.io:cryptography::::::python::*		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:cryptography.io:cryptography::::::python::*
CVE-2024-26130		https://nvd.nist.gov/vuln/detail/CVE-2024-26130
GHSA-6vqw-3v5j-54x4		https://github.com/advisories/GHSA-6vqw-3v5j-54x4
GLSA-202407-06		https://security.gentoo.org/glsa/202407-06
RHSA-2024:3781		https://access.redhat.com/errata/RHSA-2024:3781
RHSA-2024:7987		https://access.redhat.com/errata/RHSA-2024:7987
RHSA-2025:1335		https://access.redhat.com/errata/RHSA-2025:1335
USN-6673-1		https://usn.ubuntu.com/6673-1/
USN-6673-3		https://usn.ubuntu.com/6673-3/

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-26130.json

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/pyca/cryptography

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/pyca/cryptography/commit/97d231672763cdb5959a3b191e692a362f1b9e55

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/pyca/cryptography/pull/10423

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/pyca/cryptography/security/advisories/GHSA-6vqw-3v5j-54x4

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/pypa/advisory-database/tree/main/vulns/cryptography/PYSEC-2024-225.yaml

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2024-26130

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.16666
EPSS Score	0.00045
Published At	Nov. 1, 2024, midnight

Date	Actor	Action	Source	VulnerableCode Version
2024-04-23T17:18:52.977250+00:00	NVD Importer	Import	https://nvd.nist.gov/vuln/detail/CVE-2024-26130	34.0.0rc4