CVE-2020-36242 — CRITICAL (9.1)

Q: How severe is CVE-2020-36242?

CVE-2020-36242 has been rated CRITICAL with a CVSS base score of 9.1/10. This is considered a critical vulnerability requiring immediate attention.

Q: Is there a patch for CVE-2020-36242?

Check the references section above for vendor advisories and patch information. Affected products include: Cryptography.Io Cryptography, Fedoraproject Fedora, Oracle Communications Cloud Native Core Network Function Cloud Native Environment.

Vulnerability Description

In the cryptography package before 3.3.2 for Python, certain sequences of update calls to symmetrically encrypt multi-GB values could result in an integer overflow and buffer overflow, as demonstrated by the Fernet class.

CVSS Score

9.1

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

NONE

Availability

HIGH

Affected Products

Vendor	Product	Versions
Cryptography.Io	Cryptography	< 3.3.2
Fedoraproject	Fedora	33
Oracle	Communications Cloud Native Core Network Function Cloud Native Environment	1.10.0

Related Weaknesses (CWE)

CWE-190 CWE-787

References

https://github.com/pyca/cryptography/blob/master/CHANGELOG.rstRelease NotesThird Party Advisory
https://github.com/pyca/cryptography/compare/3.3.1...3.3.2PatchThird Party Advisory
https://github.com/pyca/cryptography/issues/5615ExploitPatchThird Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://www.oracle.com/security-alerts/cpuapr2022.htmlPatchThird Party Advisory
https://www.oracle.com/security-alerts/cpujul2022.htmlPatchThird Party Advisory
https://github.com/pyca/cryptography/blob/master/CHANGELOG.rstRelease NotesThird Party Advisory
https://github.com/pyca/cryptography/compare/3.3.1...3.3.2PatchThird Party Advisory
https://github.com/pyca/cryptography/issues/5615ExploitPatchThird Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
https://www.oracle.com/security-alerts/cpuapr2022.htmlPatchThird Party Advisory
https://www.oracle.com/security-alerts/cpujul2022.htmlPatchThird Party Advisory

FAQ

What is CVE-2020-36242?

CVE-2020-36242 is a vulnerability with a CVSS score of 9.1 (CRITICAL). In the cryptography package before 3.3.2 for Python, certain sequences of update calls to symmetrically encrypt multi-GB values could result in an integer overflow and buffer overflow, as demonstrated...

How severe is CVE-2020-36242?

CVE-2020-36242 has been rated CRITICAL with a CVSS base score of 9.1/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2020-36242?

Check the references section above for vendor advisories and patch information. Affected products include: Cryptography.Io Cryptography, Fedoraproject Fedora, Oracle Communications Cloud Native Core Network Function Cloud Native Environment.