Miggo Logo
Book a Demo
Miggo Vulnerability Database
CVE-2024-5642

CVE-2024-5642:
CPython 3.9 and earlier doesn't disallow configuring an empty list ("[]") for SSLContext...

6.5

CVSS Score

Basic Information

CVE ID
CVE-2024-5642
GHSA ID
GHSA-hrvr-7x5w-xpmq
EPSS Score
-
CWE
-
Published
6/27/2024
Updated
11/7/2024
KEV Status
No
Technology
-

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability (CVE-2024-5642) description clearly identifies SSLContext.set_npn_protocols() as the problematic function in CPython. This function allowed an empty list as input for NPN protocols. This input was passed to an underlying C function, _ssl._SSLContext._set_npn_protocols (implemented by _ssl__SSLContext__set_npn_protocols_impl in Modules/_ssl.c). The provided commit 39258d3595300bc7b952854c915f63ae2d4b9c3e, which is part of the fix (PR #23014), removes the C implementation of NPN support, including _ssl__SSLContext__set_npn_protocols_impl. The analysis of the removed C code shows that it accepted a zero-length protocol list (protos->len == 0) without validation, which is the core of CPython's part in this vulnerability, as it then passed this invalid configuration to OpenSSL. Therefore, both the Python entry point and its C implementation are identified as vulnerable in their state prior to the fix.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*Pyt*on *.* *n* **rli*r *o*sn't *is*llow *on*i*urin* *n *mpty list ("[]") *or SSL*ont*xt.s*t_npn_proto*ols() w*i** is *n inv*li* v*lu* *or t** un**rlyin* Op*nSSL *PI. T*is r*sults in * *u***r ov*r-r*** w**n NPN is us** (s** *V*-****-**** *or Op*nSSL)

Reasoning

T** vuln*r**ility (*V*-****-****) **s*ription *l**rly i**nti*i*s `SSL*ont*xt.s*t_npn_proto*ols()` *s t** pro*l*m*ti* *un*tion in *Pyt*on. T*is *un*tion *llow** *n *mpty list *s input *or NPN proto*ols. T*is input w*s p*ss** to *n un**rlyin* * *un*tio