CVE-2024-5642

June 27, 2024, 10:15 p.m.

None
No Score

Description

CPython 3.9 and earlier doesn't disallow configuring an empty list ("[]") for SSLContext.set_npn_protocols() which is an invalid value for the underlying OpenSSL API. This results in a buffer over-read when NPN is used (see CVE-2024-5535 for OpenSSL). This vulnerability is of low severity due to NPN being not widely used and specifying an empty list likely being uncommon in-practice (typically a protocol name would be configured).

Product(s) Impacted

Product Versions
CPython
  • ['3.9 and earlier']

Weaknesses

Common security weaknesses mapped to this vulnerability.

References

https://github.com/python/cpython/commit/39258d3595300bc7b952854c915f63ae2d4b9c3e
https://github.com/python/cpython/pull/23014
https://jbp.io/2024/06/27/cve-2024-5535-openssl-memory-safety.html
https://mail.python.org/archives/list/security-announce@python.org/thread/PLP2JI3PJY33YG6P5BZYSSNU66HASXBQ/

Tags

cna@python.org
2024-06-27
CVE-2024-5642

Timeline

Published: June 27, 2024, 9:15 p.m.
Last Modified: June 27, 2024, 10:15 p.m.

Status : Received

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

cna@python.org

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.