Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

x/vulndb: potential Go vuln in github.com/pyca/cryptography: CVE-2023-49083 #2367

Closed
GoVulnBot opened this issue Nov 29, 2023 · 1 comment
Closed

x/vulndb: potential Go vuln in github.com/pyca/cryptography: CVE-2023-49083 #2367

GoVulnBot opened this issue Nov 29, 2023 · 1 comment
Assignees
@maceonthompson
Labels
excluded: NOT_GO_CODE This vulnerability does not refer to a Go module.

Comments

@GoVulnBot
Copy link

CVE-2023-49083 references github.com/pyca/cryptography, which may be a Go module.

Description:
cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Calling load_pem_pkcs7_certificates or load_der_pkcs7_certificates could lead to a NULL-pointer dereference and segfault. Exploitation of this vulnerability poses a serious risk of Denial of Service (DoS) for any application attempting to deserialize a PKCS7 blob/certificate. The consequences extend to potential disruptions in system availability and stability. This vulnerability has been patched in version 41.0.6.

References:

Cross references:

See doc/triage.md for instructions on how to triage this report.

modules:
    - module: github.com/pyca/cryptography
      vulnerable_at: 0.0.0-20231129023145-11e92173875d
      packages:
        - package: cryptography
cves:
    - CVE-2023-49083
references:
    - advisory: https://github.com/pyca/cryptography/security/advisories/GHSA-jfhm-5ghh-2f97
    - fix: https://github.com/pyca/cryptography/pull/9926
    - fix: https://github.com/pyca/cryptography/commit/f09c261ca10a31fe41b1262306db7f8f1da0e48a
@maceonthompson maceonthompson added the excluded: NOT_GO_CODE This vulnerability does not refer to a Go module. label Nov 30, 2023
@maceonthompson maceonthompson self-assigned this Nov 30, 2023
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/545818 mentions this issue: data/excluded: batch add 13 excluded reports

@GoVulnBot GoVulnBot mentioned this issue Feb 21, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@maceonthompson maceonthompson

Labels
excluded: NOT_GO_CODE This vulnerability does not refer to a Go module.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@gopherbot @maceonthompson @GoVulnBot