VYPR

rpm package

opensuse/python-cryptography&distro=openSUSE Tumbleweed

pkg:rpm/opensuse/python-cryptography&distro=openSUSE%20Tumbleweed

Vulnerabilities (13)

  • CVE-2026-39892CriApr 8, 2026
    affected < 46.0.7-1.1fixed 46.0.7-1.1

    cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. From 45.0.0 to before 46.0.7, if a non-contiguous buffer was passed to APIs which accepted Python buffers (e.g. Hash.update()), this could lead to buffer overflows. This vulner

  • CVE-2026-34073MedMar 31, 2026
    affected < 46.0.6-1.1fixed 46.0.6-1.1

    cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Prior to version 46.0.6, DNS name constraints were only validated against SANs within child certificates, and not the "peer name" presented during each validation. Consequently

  • CVE-2026-26007Feb 10, 2026
    affected < 46.0.5-1.1fixed 46.0.5-1.1

    cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Prior to 46.0.5, the public_key_from_numbers (or EllipticCurvePublicNumbers.public_key()), EllipticCurvePublicNumbers.public_key(), load_der_public_key() and load_pem_public_ke

  • CVE-2024-33664Apr 25, 2024
    affected < 3.3.0-3.1fixed 3.3.0-3.1

    python-jose through 3.3.0 allows attackers to cause a denial of service (resource consumption) during a decode via a crafted JSON Web Encryption (JWE) token with a high compression ratio, aka a "JWT bomb." This is similar to CVE-2024-21319.

  • CVE-2024-33663Apr 25, 2024
    affected < 3.3.0-3.1fixed 3.3.0-3.1

    python-jose through 3.3.0 has algorithm confusion with OpenSSH ECDSA keys and other key formats. This is similar to CVE-2022-29217.

  • CVE-2024-26130Feb 21, 2024
    affected < 42.0.4-1.1fixed 42.0.4-1.1

    cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Starting in version 38.0.0 and prior to version 42.0.4, if `pkcs12.serialize_key_and_certificates` is called with both a certificate whose public key did not match the provided

  • CVE-2023-49083Nov 29, 2023
    affected < 41.0.7-1.1fixed 41.0.7-1.1

    cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Calling `load_pem_pkcs7_certificates` or `load_der_pkcs7_certificates` could lead to a NULL-pointer dereference and segfault. Exploitation of this vulnerability poses a serious

  • CVE-2023-38325Jul 14, 2023
    affected < 41.0.2-2.1fixed 41.0.2-2.1

    The cryptography package before 41.0.2 for Python mishandles SSH certificates that have critical options.

  • CVE-2023-23931Feb 7, 2023
    affected < 39.0.1-1.1fixed 39.0.1-1.1

    cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. In affected versions `Cipher.update_into` would accept Python objects which implement the buffer protocol, but provide only immutable buffers. This would allow immutable object

  • CVE-2022-3786HigNov 1, 2022
    affected < 38.0.3-1.1fixed 38.0.3-1.1

    A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Note that this occurs after certificate chain signature verification and requires either a CA to have signed a malicious certificate or for an application to continue ce

  • CVE-2022-3602HigNov 1, 2022
    affected < 38.0.3-1.1fixed 38.0.3-1.1

    A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Note that this occurs after certificate chain signature verification and requires either a CA to have signed the malicious certificate or for the application to continue

  • CVE-2020-36242Feb 7, 2021
    affected < 3.3.2-2.4fixed 3.3.2-2.4

    In the cryptography package before 3.3.2 for Python, certain sequences of update calls to symmetrically encrypt multi-GB values could result in an integer overflow and buffer overflow, as demonstrated by the Fernet class.

  • CVE-2020-25659Jan 11, 2021
    affected < 3.3.2-2.4fixed 3.3.2-2.4

    python-cryptography 3.2 is vulnerable to Bleichenbacher timing attacks in the RSA decryption API, via timed processing of valid PKCS#1 v1.5 ciphertext.