CVE-2020-36242

CWE-190Integer OverflowCWE-787Out-of-bounds Write11 documents9 sources
Severity
9.1CRITICAL
EPSS
1.6%
top 18.46%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Cryptography.io CryptographyFedoraproject FedoraOracle Communications Cloud Native Core Network Function Cloud Native Environment
Timeline
PublishedFeb 7
Latest updateJan 15

Description

In the cryptography package before 3.3.2 for Python, certain sequences of update calls to symmetrically encrypt multi-GB values could result in an integer overflow and buffer overflow, as demonstrated by the Fernet class.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:HExploitability: 3.9 | Impact: 5.2

Affected Packages4 packages

Debianpython-cryptography< 3.3.2-1+3
PyPIcryptography3.13.3.2

Also affects: Fedora 33

Patches

Patch: github.comPatch: github.comPatch: www.oracle.com

🔴Vulnerability Details

4
GHSA
PyCA Cryptography symmetrically encrypting large values can lead to integer overflow2021-02-10
OSV
PyCA Cryptography symmetrically encrypting large values can lead to integer overflow2021-02-10
CVEList
CVE-2020-36242: In the cryptography package before 32021-02-07
OSV
CVE-2020-36242: In the cryptography package before 32021-02-07

📋Vendor Advisories

5
Oracle
Oracle Oracle MySQL Risk Matrix: Shell: Core Client (cryptography) — CVE-2020-362422023-01-15
Oracle
Oracle Oracle Communications Risk Matrix: OC-CNE (python-cryptography) — CVE-2020-362422022-04-15
Microsoft
In the cryptography package before 3.3.2 for Python certain sequences of update calls to symmetrically encrypt multi-GB values could result in an integer overflow and buffer overflow as demonstrated b2021-02-09
Red Hat
python-cryptography: Large inputs for symmetric encryption can trigger integer overflow leading to buffer overflow2020-12-09
Debian
CVE-2020-36242: python-cryptography - In the cryptography package before 3.3.2 for Python, certain sequences of update...2020

💬Community

1
HackerOne
Integer overflow in CipherUpdate2021-04-08