Miggo Logo

GHSA-v8gr-m533-ghj9: Vulnerable OpenSSL included in cryptography wheels

N/A

CVSS Score

Basic Information

CVE ID
-
EPSS Score
-
CWE
-
Published
9/21/2023
Updated
9/21/2023
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
-
Package NameEcosystemVulnerable VersionsFirst Patched Version
cryptographypip>= 2.5, < 41.0.441.0.4

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from the cryptography package including a statically linked vulnerable OpenSSL version (3.1.2 and older) in its pre-built wheels. The vulnerability does not reside in the cryptography codebase itself, but rather in the bundled OpenSSL library. The fix (in cryptography 41.0.4) updates the OpenSSL dependency to 3.1.3 but does not modify any cryptographic functions in the Python code. Vulnerable functions would be specific to OpenSSL (e.g., those related to POLY1305 MAC or incorrect cipher keying mentioned in OpenSSL's CVE-2023-4807), but these are not part of the cryptography package's code. Thus, no cryptography functions are directly vulnerable with high confidence.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

py**/*rypto*r*p*y's w***ls in*lu** * st*ti**lly link** *opy o* Op*nSSL. T** v*rsions o* Op*nSSL in*lu*** in *rypto*r*p*y *.*-**.*.* *r* vuln*r**l* to s*v*r*l s**urity issu*s. Mor* **t*ils **out t** vuln*r**iliti*s t**ms*lv*s **n ** *oun* in *ttps://w

Reasoning

T** vuln*r**ility st*ms *rom t** *rypto*r*p*y p**k*** in*lu*in* * st*ti**lly link** vuln*r**l* Op*nSSL v*rsion (*.*.* *n* ol**r) in its pr*-*uilt w***ls. T** vuln*r**ility *o*s not r*si** in t** *rypto*r*p*y *o****s* its*l*, *ut r*t**r in t** *un*l**