CVE-2023-38325

CWE-295 — Improper Certificate Validation9 documents8 sources

Severity

7.5HIGH

EPSS

1.1%

top 22.01%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Cryptography.io Cryptography

Timeline

PublishedJul 14

Latest updateJan 15

Description

The cryptography package before 41.0.2 for Python mishandles SSH certificates that have critical options.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

▶PyPIcryptography40.0.0 — 41.0.2

▶NVDcryptography.io/cryptography40.0.0 — 41.0.2

▶Alpinepy3-cryptography< 41.0.2-r0

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

cryptography mishandles SSH certificates↗2023-07-14

▶

OSV

CVE-2023-38325: The cryptography package before 41↗2023-07-14

▶

OSV

cryptography mishandles SSH certificates↗2023-07-14

▶

CVEList

CVE-2023-38325: The cryptography package before 41↗2023-07-14

▶

📋Vendor Advisories

Oracle

Oracle Oracle Communications Risk Matrix: Install/Upgrade (Cryptography) — CVE-2023-38325↗2024-01-15

▶

Red Hat

python-cryptography: SSH certificate encoding/parsing incompatibility with OpenSSH↗2023-07-15

▶

Microsoft

The cryptography package before 41.0.2 for Python mishandles SSH certificates that have critical options.↗2023-07-11

▶

Debian

CVE-2023-38325: python-cryptography - The cryptography package before 41.0.2 for Python mishandles SSH certificates th...↗2023

▶