GHSA-rhm9-p9w5-fwm7

Source

https://github.com/advisories/GHSA-rhm9-p9w5-fwm7

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/02/GHSA-rhm9-p9w5-fwm7/GHSA-rhm9-p9w5-fwm7.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-rhm9-p9w5-fwm7

Aliases

Published

2021-02-10T01:32:27Z

Modified

2024-09-13T19:08:49.211360Z

Severity

9.1 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H CVSS Calculator
8.8 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N CVSS Calculator

Summary

PyCA Cryptography symmetrically encrypting large values can lead to integer overflow

Details

cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. When certain sequences of update() calls with large values (multiple GBs) for symetric encryption or decryption occur, it's possible for an integer overflow to happen, leading to mishandling of buffers. This is patched in version 3.3.2 and newer.

References

Affected packages

PyPI / cryptography

Package

Name: cryptography; View open source insights on deps.dev
Purl: pkg:pypi/cryptography

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.1

Fixed

3.3.2

Affected versions

3.*

3.1

3.1.1

3.2

3.2.1

3.3

3.3.1

Ecosystem specific

{
    "affected_functions": [
        "cryptography.hazmat.backends.openssl.ciphers._CipherContext"
    ]
}