-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
The vulnerability stems from the cryptography package including a statically linked vulnerable OpenSSL version (3.1.2 and older) in its pre-built wheels. The vulnerability does not reside in the cryptography codebase itself, but rather in the bundled OpenSSL library. The fix (in cryptography 41.0.4) updates the OpenSSL dependency to 3.1.3 but does not modify any cryptographic functions in the Python code. Vulnerable functions would be specific to OpenSSL (e.g., those related to POLY1305 MAC or incorrect cipher keying mentioned in OpenSSL's CVE-2023-4807), but these are not part of the cryptography package's code. Thus, no cryptography functions are directly vulnerable with high confidence.
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| cryptography | pip | >= 2.5, < 41.0.4 | 41.0.4 |
Ongoing coverage of React2Shell