High severityNVD Advisory· Published Feb 21, 2024· Updated Aug 14, 2024
cryptography NULL pointer deference with pkcs12.serialize_key_and_certificates when called with a non-matching certificate and private key and an hmac_hash override
CVE-2024-26130
Description
cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Starting in version 38.0.0 and prior to version 42.0.4, if pkcs12.serialize_key_and_certificates is called with both a certificate whose public key did not match the provided private key and an encryption_algorithm with hmac_hash set (via PrivateFormat.PKCS12.encryption_builder().hmac_hash(...), then a NULL pointer dereference would occur, crashing the Python process. This has been resolved in version 42.0.4, the first version in which a ValueError is properly raised.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
cryptographyPyPI | >= 38.0.0, < 42.0.4 | 42.0.4 |
Affected products
54- osv-coords53 versionspkg:apk/chainguard/azpkg:apk/chainguard/az-iamguarded-compatpkg:apk/chainguard/ggshieldpkg:apk/chainguard/kubeflow-pipelinespkg:apk/chainguard/kubeflow-pipelines-apiserverpkg:apk/chainguard/kubeflow-pipelines-cache-deployerpkg:apk/chainguard/kubeflow-pipelines-cache-deployer-compatpkg:apk/chainguard/kubeflow-pipelines-cache_serverpkg:apk/chainguard/kubeflow-pipelines-frontendpkg:apk/chainguard/kubeflow-pipelines-metadata-envoy-configpkg:apk/chainguard/kubeflow-pipelines-metadata-writerpkg:apk/chainguard/kubeflow-pipelines-metadata-writer-compatpkg:apk/chainguard/kubeflow-pipelines-persistence_agentpkg:apk/chainguard/kubeflow-pipelines-scheduledworkflowpkg:apk/chainguard/kubeflow-pipelines-viewer-crd-controllerpkg:apk/chainguard/mitmproxypkg:apk/chainguard/py3.10-cryptographypkg:apk/chainguard/py3.11-cryptographypkg:apk/chainguard/py3.12-cryptographypkg:apk/chainguard/py3-cassandra-medusapkg:apk/chainguard/py3-cassandra-medusa-compatpkg:apk/chainguard/py3-cryptographypkg:apk/chainguard/request-1276pkg:apk/chainguard/request-1276-compatpkg:apk/wolfi/azpkg:apk/wolfi/az-iamguarded-compatpkg:apk/wolfi/ggshieldpkg:apk/wolfi/kubeflow-pipelinespkg:apk/wolfi/kubeflow-pipelines-apiserverpkg:apk/wolfi/kubeflow-pipelines-cache-deployerpkg:apk/wolfi/kubeflow-pipelines-cache-deployer-compatpkg:apk/wolfi/kubeflow-pipelines-cache_serverpkg:apk/wolfi/kubeflow-pipelines-frontendpkg:apk/wolfi/kubeflow-pipelines-metadata-envoy-configpkg:apk/wolfi/kubeflow-pipelines-metadata-writerpkg:apk/wolfi/kubeflow-pipelines-metadata-writer-compatpkg:apk/wolfi/kubeflow-pipelines-persistence_agentpkg:apk/wolfi/kubeflow-pipelines-scheduledworkflowpkg:apk/wolfi/kubeflow-pipelines-viewer-crd-controllerpkg:apk/wolfi/mitmproxypkg:apk/wolfi/py3.10-cryptographypkg:apk/wolfi/py3.11-cryptographypkg:apk/wolfi/py3.12-cryptographypkg:apk/wolfi/py3-cassandra-medusapkg:apk/wolfi/py3-cassandra-medusa-compatpkg:apk/wolfi/py3-cryptographypkg:pypi/cryptographypkg:rpm/almalinux/python3.12-cryptographypkg:rpm/opensuse/python-cryptography&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/python-cryptography&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/python-cryptography&distro=openSUSE%20Tumbleweedpkg:rpm/suse/python-cryptography&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Python%203%2015%20SP5pkg:rpm/suse/python-cryptography&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Python%203%2015%20SP6
< 2.58.0-r0+ 52 more
- (no CPE)range: < 2.58.0-r0
- (no CPE)range: < 2.58.0-r0
- (no CPE)range: < 1.25.0-r0
- (no CPE)range: < 2.0.5-r3
- (no CPE)range: < 2.0.5-r3
- (no CPE)range: < 2.0.5-r3
- (no CPE)range: < 2.0.5-r3
- (no CPE)range: < 2.0.5-r3
- (no CPE)range: < 2.0.5-r3
- (no CPE)range: < 2.0.5-r3
- (no CPE)range: < 2.0.5-r3
- (no CPE)range: < 2.0.5-r3
- (no CPE)range: < 2.0.5-r3
- (no CPE)range: < 2.0.5-r3
- (no CPE)range: < 2.0.5-r3
- (no CPE)range: < 12.2.1-r0
- (no CPE)range: < 42.0.4-r0
- (no CPE)range: < 42.0.4-r0
- (no CPE)range: < 42.0.4-r0
- (no CPE)range: < 0.19.1-r1
- (no CPE)range: < 0.19.1-r1
- (no CPE)range: < 42.0.4-r0
- (no CPE)range: < 0.23.0-r30
- (no CPE)range: < 0.23.0-r30
- (no CPE)range: < 2.58.0-r0
- (no CPE)range: < 2.58.0-r0
- (no CPE)range: < 1.25.0-r0
- (no CPE)range: < 2.0.5-r3
- (no CPE)range: < 2.0.5-r3
- (no CPE)range: < 2.0.5-r3
- (no CPE)range: < 2.0.5-r3
- (no CPE)range: < 2.0.5-r3
- (no CPE)range: < 2.0.5-r3
- (no CPE)range: < 2.0.5-r3
- (no CPE)range: < 2.0.5-r3
- (no CPE)range: < 2.0.5-r3
- (no CPE)range: < 2.0.5-r3
- (no CPE)range: < 2.0.5-r3
- (no CPE)range: < 2.0.5-r3
- (no CPE)range: < 12.2.1-r0
- (no CPE)range: < 42.0.4-r0
- (no CPE)range: < 42.0.4-r0
- (no CPE)range: < 42.0.4-r0
- (no CPE)range: < 0.19.1-r1
- (no CPE)range: < 0.19.1-r1
- (no CPE)range: < 42.0.4-r0
- (no CPE)range: >= 38.0.0, < 42.0.4
- (no CPE)range: < 41.0.7-2.el9_6.1
- (no CPE)range: < 41.0.3-150400.16.15.1
- (no CPE)range: < 41.0.3-150600.23.3.1
- (no CPE)range: < 42.0.4-1.1
- (no CPE)range: < 41.0.3-150400.16.15.1
- (no CPE)range: < 41.0.3-150600.23.3.1
- Range: >= 38.0.0, < 42.0.4
Patches
Vulnerability mechanics
References
6- github.com/advisories/GHSA-6vqw-3v5j-54x4ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-26130ghsaADVISORY
- github.com/pyca/cryptography/commit/97d231672763cdb5959a3b191e692a362f1b9e55ghsax_refsource_MISCWEB
- github.com/pyca/cryptography/pull/10423ghsax_refsource_MISCWEB
- github.com/pyca/cryptography/security/advisories/GHSA-6vqw-3v5j-54x4ghsax_refsource_CONFIRMWEB
- github.com/pypa/advisory-database/tree/main/vulns/cryptography/PYSEC-2024-225.yamlghsaWEB
News mentions
0No linked articles in our index yet.