CVE-2024-5642Improper Input Validation in Software Foundation Cpython

CWE-20Improper Input Validation7 documents7 sources
Severity
6.5MEDIUMNVD
CNA9.1OSV9.1
EPSS
0.2%
top 58.78%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Python Software Foundation Cpython
Timeline
PublishedJun 27

Description

CPython 3.9 and earlier doesn't disallow configuring an empty list ("[]") for SSLContext.set_npn_protocols() which is an invalid value for the underlying OpenSSL API. This results in a buffer over-read when NPN is used (see CVE-2024-5535 for OpenSSL). This vulnerability is of low severity due to NPN being not widely used and specifying an empty list likely being uncommon in-practice (typically a protocol name would be configured).

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:LExploitability: 3.9 | Impact: 2.5

Affected Packages1 packages

CVEListV5python_software_foundation/cpython3.10.0a13.10.0b1+1

🔴Vulnerability Details

3
GHSA
GHSA-hrvr-7x5w-xpmq: CPython 32024-06-27
OSV
CVE-2024-5642: CPython 32024-06-27
CVEList
Buffer overread when using an empty list with SSLContext.set_npn_protocols()2024-06-27

📋Vendor Advisories

3
Red Hat
python: Invalid value for OpenSSL API may cause Buffer over-read when NPN is used2024-06-27
Microsoft
Buffer overread when using an empty list with SSLContext.set_npn_protocols()2024-06-11
Debian
CVE-2024-5642: pypy3 - CPython 3.9 and earlier doesn't disallow configuring an empty list ("[]") for SS...2024
CVE-2024-5642 — Improper Input Validation | cvebase