N/A

CVSS Score

Basic Information

CVE ID

GHSA ID

GHSA-v8gr-m533-ghj9

EPSS Score

CWE

Published

9/21/2023

Updated

9/21/2023

KEV Status

Technology

Python

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-v8gr-m533-ghj9

GHSA-v8gr-m533-ghj9: Vulnerable OpenSSL included in cryptography wheels

pyca/cryptography's wheels include a statically linked copy of OpenSSL. The versions of OpenSSL included in cryptography 2.5-41.0.3 are vulnerable to several security issues. More details about the vulnerabilities themselves can be found in https://www.openssl.org/news/secadv/20230908.txt.

If you are building cryptography source ("sdist") then you are responsible for upgrading your copy of OpenSSL. Only users installing from wheels built by the cryptography project (i.e., those distributed on PyPI) need to update their cryptography versions.

(GitHub Advisory)

N/A

CVSS Score

Basic Information

CVE ID

GHSA ID

GHSA-v8gr-m533-ghj9

EPSS Score

CWE

Published

9/21/2023

Updated

9/21/2023

KEV Status

Technology

Python

Technical Details

CVSS Vector

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
cryptography	pip	>= 2.5, < 41.0.4	41.0.4

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from the cryptography package including a statically linked vulnerable OpenSSL version (3.1.2 and older) in its pre-built wheels. The vulnerability does not reside in the cryptography codebase itself, but rather in the bundled OpenSSL library. The fix (in cryptography 41.0.4) updates the OpenSSL dependency to 3.1.3 but does not modify any cryptographic functions in the Python code. Vulnerable functions would be specific to OpenSSL (e.g., those related to POLY1305 MAC or incorrect cipher keying mentioned in OpenSSL's CVE-2023-4807), but these are not part of the cryptography package's code. Thus, no cryptography functions are directly vulnerable with high confidence.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

py**/*rypto*r*p*y's w***ls in*lu** * st*ti**lly link** *opy o* Op*nSSL. T** v*rsions o* Op*nSSL in*lu*** in *rypto*r*p*y *.*-**.*.* *r* vuln*r**l* to s*v*r*l s**urity issu*s. Mor* **t*ils **out t** vuln*r**iliti*s t**ms*lv*s **n ** *oun* in *ttps://w

Reasoning

T** vuln*r**ility st*ms *rom t** *rypto*r*p*y p**k*** in*lu*in* * st*ti**lly link** vuln*r**l* Op*nSSL v*rsion (*.*.* *n* ol**r) in its pr*-*uilt w***ls. T** vuln*r**ility *o*s not r*si** in t** *rypto*r*p*y *o****s* its*l*, *ut r*t**r in t** *un*l**

N/A

Basic Information

Concerned about an active attack path?

GHSA-v8gr-m533-ghj9: Vulnerable OpenSSL included in cryptography wheels

N/A

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI