Описание
CPython 3.9 and earlier doesn't disallow configuring an empty list ("[]") for SSLContext.set_npn_protocols() which is an invalid value for the underlying OpenSSL API. This results in a buffer over-read when NPN is used (see CVE-2024-5535 for OpenSSL). This vulnerability is of low severity due to NPN being not widely used and specifying an empty list likely being uncommon in-practice (typically a protocol name would be configured).
A vulnerability was found in Python/CPython that does not disallow configuring an empty list ("[]") for SSLContext.set_npn_protocols(), which is an invalid value for the underlying OpenSSL API. This issue results in a buffer over-read when NPN is used. See CVE -2024-5535 for OpenSSL for more information.
Отчет
This vulnerability is rated with a Low severity due to NPN not being widely used and specifying an empty list is likely uncommon in practice. Typically, a protocol name would be configured.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 10 | python3.12 | Not affected | ||
| Red Hat Enterprise Linux 6 | python | Out of support scope | ||
| Red Hat Enterprise Linux 7 | python | Out of support scope | ||
| Red Hat Enterprise Linux 7 | python3 | Out of support scope | ||
| Red Hat Enterprise Linux 8 | gimp:flatpak/python2 | Fix deferred | ||
| Red Hat Enterprise Linux 8 | inkscape:flatpak/python2 | Fix deferred | ||
| Red Hat Enterprise Linux 8 | python27:2.7/python2 | Fix deferred | ||
| Red Hat Enterprise Linux 8 | python3 | Not affected | ||
| Red Hat Enterprise Linux 8 | python3.11 | Not affected | ||
| Red Hat Enterprise Linux 8 | python3.12 | Not affected |
Показывать по
Дополнительная информация
Статус:
EPSS
2.7 Low
CVSS3
Связанные уязвимости
CPython 3.9 and earlier doesn't disallow configuring an empty list ("[]") for SSLContext.set_npn_protocols() which is an invalid value for the underlying OpenSSL API. This results in a buffer over-read when NPN is used (see CVE-2024-5535 for OpenSSL). This vulnerability is of low severity due to NPN being not widely used and specifying an empty list likely being uncommon in-practice (typically a protocol name would be configured).
CPython 3.9 and earlier doesn't disallow configuring an empty list ("[]") for SSLContext.set_npn_protocols() which is an invalid value for the underlying OpenSSL API. This results in a buffer over-read when NPN is used (see CVE-2024-5535 for OpenSSL). This vulnerability is of low severity due to NPN being not widely used and specifying an empty list likely being uncommon in-practice (typically a protocol name would be configured).
Buffer overread when using an empty list with SSLContext.set_npn_protocols()
CPython 3.9 and earlier doesn't disallow configuring an empty list ("[ ...
EPSS
2.7 Low
CVSS3