Vulnerability Description
cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Starting in version 38.0.0 and prior to version 42.0.4, if `pkcs12.serialize_key_and_certificates` is called with both a certificate whose public key did not match the provided private key and an `encryption_algorithm` with `hmac_hash` set (via `PrivateFormat.PKCS12.encryption_builder().hmac_hash(...)`, then a NULL pointer dereference would occur, crashing the Python process. This has been resolved in version 42.0.4, the first version in which a `ValueError` is properly raised.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Cryptography.Io | Cryptography | >= 38.0.0, < 42.0.4 |
Related Weaknesses (CWE)
References
- https://github.com/pyca/cryptography/commit/97d231672763cdb5959a3b191e692a362f1bPatch
- https://github.com/pyca/cryptography/pull/10423Issue TrackingPatch
- https://github.com/pyca/cryptography/security/advisories/GHSA-6vqw-3v5j-54x4Vendor Advisory
- https://github.com/pyca/cryptography/commit/97d231672763cdb5959a3b191e692a362f1bPatch
- https://github.com/pyca/cryptography/pull/10423Issue TrackingPatch
- https://github.com/pyca/cryptography/security/advisories/GHSA-6vqw-3v5j-54x4Vendor Advisory
FAQ
What is CVE-2024-26130?
CVE-2024-26130 is a vulnerability with a CVSS score of 7.5 (HIGH). cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Starting in version 38.0.0 and prior to version 42.0.4, if `pkcs12.serialize_key_and_certificate...
How severe is CVE-2024-26130?
CVE-2024-26130 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2024-26130?
Check the references section above for vendor advisories and patch information. Affected products include: Cryptography.Io Cryptography.