CVE-2023-49083

CVE Details

Release Date:	2023-11-28
Impact:	Moderate	What is this?

Description

cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Calling `load_pem_pkcs7_certificates` or `load_der_pkcs7_certificates` could lead to a NULL-pointer dereference and segfault. Exploitation of this vulnerability poses a serious risk of Denial of Service (DoS) for any application attempting to deserialize a PKCS7 blob/certificate. The consequences extend to potential disruptions in system availability and stability. This vulnerability has been patched in version 41.0.6.

See more information about CVE-2023-49083 from MITRE CVE dictionary and NIST NVD

NOTE: The following CVSS metrics and score provided are preliminary and subject to review.

CVSS v3 metrics

Base Score:	7.5
Vector String:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Version:	3.1
Attack Vector:	Network
Attack Complexity:	Low
Privileges Required:	None
User Interaction:	None
Scope:	Unchanged
Confidentiality Impact:	None
Integrity Impact:	None
Availability Impact:	High

Errata information

Platform	Errata	Release Date
Oracle Linux version 7 (python-cryptography)	ELSA-2024-12234	2024-03-20
Oracle Linux version 7 (python-cryptography)	ELSA-2024-19480	2024-03-20
Oracle Linux version 8 (ol-automation-manager)	OLAMSA-2025-0002	2025-02-14
Oracle Linux version 8 (python-cryptography)	ELSA-2024-12079	2024-01-18
Oracle Linux version 8 (python-django)	OLAMSA-2025-0002	2025-02-14
Oracle Linux version 8 (python-jinja2)	OLAMSA-2025-0002	2025-02-14
Oracle Linux version 8 (python3.11-cryptography)	ELSA-2024-12078	2024-01-18
Oracle Linux version 8 (python3.11-cryptography)	ELSA-2024-3105	2024-05-23
Oracle Linux version 8 (python3.11-cryptography)	OLAMSA-2025-0002	2025-02-14
Oracle Linux version 9 (python-cryptography)	ELSA-2024-12079	2024-01-18
Oracle Linux version 9 (python3.11-cryptography)	ELSA-2024-12078	2024-01-18
Oracle Linux version 9 (python3.11-cryptography)	ELSA-2024-2337	2024-05-02