Vulnerable Library - cryptography-3.4.7-cp36-abi3-manylinux2014_x86_64.whl
cryptography is a package which provides cryptographic recipes and primitives to Python developers.
Library home page: https://files.pythonhosted.org/packages/b2/26/7af637e6a7e87258b963f1731c5982fb31cd507f0d90d91836e446955d02/cryptography-3.4.7-cp36-abi3-manylinux2014_x86_64.whl
Path to dependency file: /blockchain/requirements.txt
Path to vulnerable library: /blockchain/requirements.txt
Found in HEAD commit: 56243b6f6a9d69dc996086fd1497f2255877936c
Vulnerabilities
| Vulnerability |
Severity |
 CVSS |
Dependency |
Type |
Fixed in (cryptography version) |
Remediation Possible** |
| CVE-2023-50782 |
 High |
7.5 |
cryptography-3.4.7-cp36-abi3-manylinux2014_x86_64.whl |
Direct |
42.0.0 |
❌ |
| CVE-2023-0286 |
High |
7.4 |
cryptography-3.4.7-cp36-abi3-manylinux2014_x86_64.whl |
Direct |
openssl-3.0.8;cryptography - 39.0.1;openssl-src - 111.25.0+1.1.1t,300.0.12+3.0.8,openssl - 1.1.1u,openssl - 3.0.9,openssl - 1.1.1u,openssl - 3.0.9 |
❌ |
| CVE-2026-26007 |
 Medium |
5.9 |
cryptography-3.4.7-cp36-abi3-manylinux2014_x86_64.whl |
Direct |
46.0.5 |
❌ |
| CVE-2023-49083 |
Medium |
5.9 |
cryptography-3.4.7-cp36-abi3-manylinux2014_x86_64.whl |
Direct |
41.0.6 |
❌ |
| CVE-2024-0727 |
Medium |
5.5 |
cryptography-3.4.7-cp36-abi3-manylinux2014_x86_64.whl |
Direct |
openssl - 1.1.1x,openssl - 3.0.13,openssl - 3.0.13,openssl - 3.1.5,openssl - 3.1.5,openssl - 3.2.1,openssl - 3.2.1,openssl - 1.1.1x,https://github.com/openssl/openssl.git - openssl-1.1.1x,https://github.com/openssl/openssl.git - openssl-3.1.5,https://github.com/openssl/openssl.git - openssl-3.2.1,https://github.com/openssl/openssl.git - openssl-3.0.13,https://github.com/openssl/openssl.git - openssl-1.0.2zj |
❌ |
| CVE-2023-23931 |
Medium |
4.8 |
cryptography-3.4.7-cp36-abi3-manylinux2014_x86_64.whl |
Direct |
39.0.1 |
❌ |
| CVE-2026-34073 |
 Low |
3.7 |
cryptography-3.4.7-cp36-abi3-manylinux2014_x86_64.whl |
Direct |
cryptography - 46.0.6 |
❌ |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2023-50782
Vulnerable Library - cryptography-3.4.7-cp36-abi3-manylinux2014_x86_64.whl
cryptography is a package which provides cryptographic recipes and primitives to Python developers.
Library home page: https://files.pythonhosted.org/packages/b2/26/7af637e6a7e87258b963f1731c5982fb31cd507f0d90d91836e446955d02/cryptography-3.4.7-cp36-abi3-manylinux2014_x86_64.whl
Path to dependency file: /blockchain/requirements.txt
Path to vulnerable library: /blockchain/requirements.txt
Dependency Hierarchy:
- ❌ cryptography-3.4.7-cp36-abi3-manylinux2014_x86_64.whl (Vulnerable Library)
Found in HEAD commit: 56243b6f6a9d69dc996086fd1497f2255877936c
Found in base branch: main
Vulnerability Details
A flaw was found in the python-cryptography package. This issue may allow a remote attacker to decrypt captured messages in TLS servers that use RSA key exchanges, which may lead to exposure of confidential or sensitive data.
Publish Date: 2024-02-05
URL: CVE-2023-50782
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-3ww4-gg4f-jr7f
Release Date: 2024-02-05
Fix Resolution: 42.0.0
Step up your Open Source Security Game with Mend here
CVE-2023-0286
Vulnerable Library - cryptography-3.4.7-cp36-abi3-manylinux2014_x86_64.whl
cryptography is a package which provides cryptographic recipes and primitives to Python developers.
Library home page: https://files.pythonhosted.org/packages/b2/26/7af637e6a7e87258b963f1731c5982fb31cd507f0d90d91836e446955d02/cryptography-3.4.7-cp36-abi3-manylinux2014_x86_64.whl
Path to dependency file: /blockchain/requirements.txt
Path to vulnerable library: /blockchain/requirements.txt
Dependency Hierarchy:
- ❌ cryptography-3.4.7-cp36-abi3-manylinux2014_x86_64.whl (Vulnerable Library)
Found in HEAD commit: 56243b6f6a9d69dc996086fd1497f2255877936c
Found in base branch: main
Vulnerability Details
There is a type confusion vulnerability relating to X.400 address processing
inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING but
the public structure definition for GENERAL_NAME incorrectly specified the type
of the x400Address field as ASN1_TYPE. This field is subsequently interpreted by
the OpenSSL function GENERAL_NAME_cmp as an ASN1_TYPE rather than an
ASN1_STRING.
When CRL checking is enabled (i.e. the application sets the
X509_V_FLAG_CRL_CHECK flag), this vulnerability may allow an attacker to pass
arbitrary pointers to a memcmp call, enabling them to read memory contents or
enact a denial of service. In most cases, the attack requires the attacker to
provide both the certificate chain and CRL, neither of which need to have a
valid signature. If the attacker only controls one of these inputs, the other
input must already contain an X.400 address as a CRL distribution point, which
is uncommon. As such, this vulnerability is most likely to only affect
applications which have implemented their own functionality for retrieving CRLs
over a network.
Publish Date: 2023-02-08
URL: CVE-2023-0286
CVSS 3 Score Details (7.4)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-x4qr-2fvf-3mr5
Release Date: 2023-02-08
Fix Resolution: openssl-3.0.8;cryptography - 39.0.1;openssl-src - 111.25.0+1.1.1t,300.0.12+3.0.8,openssl - 1.1.1u,openssl - 3.0.9,openssl - 1.1.1u,openssl - 3.0.9
Step up your Open Source Security Game with Mend here
CVE-2026-26007
Vulnerable Library - cryptography-3.4.7-cp36-abi3-manylinux2014_x86_64.whl
cryptography is a package which provides cryptographic recipes and primitives to Python developers.
Library home page: https://files.pythonhosted.org/packages/b2/26/7af637e6a7e87258b963f1731c5982fb31cd507f0d90d91836e446955d02/cryptography-3.4.7-cp36-abi3-manylinux2014_x86_64.whl
Path to dependency file: /blockchain/requirements.txt
Path to vulnerable library: /blockchain/requirements.txt
Dependency Hierarchy:
- ❌ cryptography-3.4.7-cp36-abi3-manylinux2014_x86_64.whl (Vulnerable Library)
Found in HEAD commit: 56243b6f6a9d69dc996086fd1497f2255877936c
Found in base branch: main
Vulnerability Details
cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Prior to 46.0.5, the public_key_from_numbers (or EllipticCurvePublicNumbers.public_key()), EllipticCurvePublicNumbers.public_key(), load_der_public_key() and load_pem_public_key() functions do not verify that the point belongs to the expected prime-order subgroup of the curve. This missing validation allows an attacker to provide a public key point P from a small-order subgroup. This can lead to security issues in various situations, such as the most commonly used signature verification (ECDSA) and shared key negotiation (ECDH). When the victim computes the shared secret as S = [victim_private_key]P via ECDH, this leaks information about victim_private_key mod (small_subgroup_order). For curves with cofactor > 1, this reveals the least significant bits of the private key. When these weak public keys are used in ECDSA , it's easy to forge signatures on the small subgroup. Only SECT curves are impacted by this. This vulnerability is fixed in 46.0.5.
Publish Date: 2026-02-10
URL: CVE-2026-26007
CVSS 3 Score Details (5.9)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-r6ph-v2qm-q3c2
Release Date: 2026-02-10
Fix Resolution: 46.0.5
Step up your Open Source Security Game with Mend here
CVE-2023-49083
Vulnerable Library - cryptography-3.4.7-cp36-abi3-manylinux2014_x86_64.whl
cryptography is a package which provides cryptographic recipes and primitives to Python developers.
Library home page: https://files.pythonhosted.org/packages/b2/26/7af637e6a7e87258b963f1731c5982fb31cd507f0d90d91836e446955d02/cryptography-3.4.7-cp36-abi3-manylinux2014_x86_64.whl
Path to dependency file: /blockchain/requirements.txt
Path to vulnerable library: /blockchain/requirements.txt
Dependency Hierarchy:
- ❌ cryptography-3.4.7-cp36-abi3-manylinux2014_x86_64.whl (Vulnerable Library)
Found in HEAD commit: 56243b6f6a9d69dc996086fd1497f2255877936c
Found in base branch: main
Vulnerability Details
cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Calling "load_pem_pkcs7_certificates" or "load_der_pkcs7_certificates" could lead to a NULL-pointer dereference and segfault. Exploitation of this vulnerability poses a serious risk of Denial of Service (DoS) for any application attempting to deserialize a PKCS7 blob/certificate. The consequences extend to potential disruptions in system availability and stability. This vulnerability has been patched in version 41.0.6.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2023-11-29
URL: CVE-2023-49083
CVSS 3 Score Details (5.9)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-49083
Release Date: 2023-11-29
Fix Resolution: 41.0.6
Step up your Open Source Security Game with Mend here
CVE-2024-0727
Vulnerable Library - cryptography-3.4.7-cp36-abi3-manylinux2014_x86_64.whl
cryptography is a package which provides cryptographic recipes and primitives to Python developers.
Library home page: https://files.pythonhosted.org/packages/b2/26/7af637e6a7e87258b963f1731c5982fb31cd507f0d90d91836e446955d02/cryptography-3.4.7-cp36-abi3-manylinux2014_x86_64.whl
Path to dependency file: /blockchain/requirements.txt
Path to vulnerable library: /blockchain/requirements.txt
Dependency Hierarchy:
- ❌ cryptography-3.4.7-cp36-abi3-manylinux2014_x86_64.whl (Vulnerable Library)
Found in HEAD commit: 56243b6f6a9d69dc996086fd1497f2255877936c
Found in base branch: main
Vulnerability Details
Issue summary: Processing a maliciously formatted PKCS12 file may lead OpenSSL
to crash leading to a potential Denial of Service attack
Impact summary: Applications loading files in the PKCS12 format from untrusted
sources might terminate abruptly.
A file in PKCS12 format can contain certificates and keys and may come from an
untrusted source. The PKCS12 specification allows certain fields to be NULL, but
OpenSSL does not correctly check for this case. This can lead to a NULL pointer
dereference that results in OpenSSL crashing. If an application processes PKCS12
files from an untrusted source using the OpenSSL APIs then that application will
be vulnerable to this issue.
OpenSSL APIs that are vulnerable to this are: PKCS12_parse(),
PKCS12_unpack_p7data(), PKCS12_unpack_p7encdata(), PKCS12_unpack_authsafes()
and PKCS12_newpass().
We have also fixed a similar issue in SMIME_write_PKCS7(). However since this
function is related to writing data we do not consider it security significant.
The FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue.
Publish Date: 2024-01-26
URL: CVE-2024-0727
CVSS 3 Score Details (5.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://openssl-library.org/news/vulnerabilities/#CVE-2024-0727
Release Date: 2024-01-26
Fix Resolution: openssl - 1.1.1x,openssl - 3.0.13,openssl - 3.0.13,openssl - 3.1.5,openssl - 3.1.5,openssl - 3.2.1,openssl - 3.2.1,openssl - 1.1.1x,https://github.com/openssl/openssl.git - openssl-1.1.1x,https://github.com/openssl/openssl.git - openssl-3.1.5,https://github.com/openssl/openssl.git - openssl-3.2.1,https://github.com/openssl/openssl.git - openssl-3.0.13,https://github.com/openssl/openssl.git - openssl-1.0.2zj
Step up your Open Source Security Game with Mend here
CVE-2023-23931
Vulnerable Library - cryptography-3.4.7-cp36-abi3-manylinux2014_x86_64.whl
cryptography is a package which provides cryptographic recipes and primitives to Python developers.
Library home page: https://files.pythonhosted.org/packages/b2/26/7af637e6a7e87258b963f1731c5982fb31cd507f0d90d91836e446955d02/cryptography-3.4.7-cp36-abi3-manylinux2014_x86_64.whl
Path to dependency file: /blockchain/requirements.txt
Path to vulnerable library: /blockchain/requirements.txt
Dependency Hierarchy:
- ❌ cryptography-3.4.7-cp36-abi3-manylinux2014_x86_64.whl (Vulnerable Library)
Found in HEAD commit: 56243b6f6a9d69dc996086fd1497f2255877936c
Found in base branch: main
Vulnerability Details
cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. In affected versions "Cipher.update_into" would accept Python objects which implement the buffer protocol, but provide only immutable buffers. This would allow immutable objects (such as "bytes") to be mutated, thus violating fundamental rules of Python and resulting in corrupted output. This now correctly raises an exception. This issue has been present since "update_into" was originally introduced in cryptography 1.8.
Publish Date: 2023-02-07
URL: CVE-2023-23931
CVSS 3 Score Details (4.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: Low
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-23931
Release Date: 2023-02-07
Fix Resolution: 39.0.1
Step up your Open Source Security Game with Mend here
CVE-2026-34073
Vulnerable Library - cryptography-3.4.7-cp36-abi3-manylinux2014_x86_64.whl
cryptography is a package which provides cryptographic recipes and primitives to Python developers.
Library home page: https://files.pythonhosted.org/packages/b2/26/7af637e6a7e87258b963f1731c5982fb31cd507f0d90d91836e446955d02/cryptography-3.4.7-cp36-abi3-manylinux2014_x86_64.whl
Path to dependency file: /blockchain/requirements.txt
Path to vulnerable library: /blockchain/requirements.txt
Dependency Hierarchy:
- ❌ cryptography-3.4.7-cp36-abi3-manylinux2014_x86_64.whl (Vulnerable Library)
Found in HEAD commit: 56243b6f6a9d69dc996086fd1497f2255877936c
Found in base branch: main
Vulnerability Details
cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Prior to version 46.0.6, DNS name constraints were only validated against SANs within child certificates, and not the "peer name" presented during each validation. Consequently, cryptography would allow a peer named bar.example.com to validate against a wildcard leaf certificate for *.example.com, even if the leaf's parent certificate (or upwards) contained an excluded subtree constraint for bar.example.com. This issue has been patched in version 46.0.6.
Publish Date: 2026-03-31
URL: CVE-2026-34073
CVSS 3 Score Details (3.7)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-m959-cc7f-wv43
Release Date: 2026-03-28
Fix Resolution: cryptography - 46.0.6
Step up your Open Source Security Game with Mend here
cryptography is a package which provides cryptographic recipes and primitives to Python developers.
Library home page: https://files.pythonhosted.org/packages/b2/26/7af637e6a7e87258b963f1731c5982fb31cd507f0d90d91836e446955d02/cryptography-3.4.7-cp36-abi3-manylinux2014_x86_64.whl
Path to dependency file: /blockchain/requirements.txt
Path to vulnerable library: /blockchain/requirements.txt
Found in HEAD commit: 56243b6f6a9d69dc996086fd1497f2255877936c
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Library - cryptography-3.4.7-cp36-abi3-manylinux2014_x86_64.whl
cryptography is a package which provides cryptographic recipes and primitives to Python developers.
Library home page: https://files.pythonhosted.org/packages/b2/26/7af637e6a7e87258b963f1731c5982fb31cd507f0d90d91836e446955d02/cryptography-3.4.7-cp36-abi3-manylinux2014_x86_64.whl
Path to dependency file: /blockchain/requirements.txt
Path to vulnerable library: /blockchain/requirements.txt
Dependency Hierarchy:
Found in HEAD commit: 56243b6f6a9d69dc996086fd1497f2255877936c
Found in base branch: main
Vulnerability Details
A flaw was found in the python-cryptography package. This issue may allow a remote attacker to decrypt captured messages in TLS servers that use RSA key exchanges, which may lead to exposure of confidential or sensitive data.
Publish Date: 2024-02-05
URL: CVE-2023-50782
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-3ww4-gg4f-jr7f
Release Date: 2024-02-05
Fix Resolution: 42.0.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - cryptography-3.4.7-cp36-abi3-manylinux2014_x86_64.whl
cryptography is a package which provides cryptographic recipes and primitives to Python developers.
Library home page: https://files.pythonhosted.org/packages/b2/26/7af637e6a7e87258b963f1731c5982fb31cd507f0d90d91836e446955d02/cryptography-3.4.7-cp36-abi3-manylinux2014_x86_64.whl
Path to dependency file: /blockchain/requirements.txt
Path to vulnerable library: /blockchain/requirements.txt
Dependency Hierarchy:
Found in HEAD commit: 56243b6f6a9d69dc996086fd1497f2255877936c
Found in base branch: main
Vulnerability Details
There is a type confusion vulnerability relating to X.400 address processing
inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING but
the public structure definition for GENERAL_NAME incorrectly specified the type
of the x400Address field as ASN1_TYPE. This field is subsequently interpreted by
the OpenSSL function GENERAL_NAME_cmp as an ASN1_TYPE rather than an
ASN1_STRING.
When CRL checking is enabled (i.e. the application sets the
X509_V_FLAG_CRL_CHECK flag), this vulnerability may allow an attacker to pass
arbitrary pointers to a memcmp call, enabling them to read memory contents or
enact a denial of service. In most cases, the attack requires the attacker to
provide both the certificate chain and CRL, neither of which need to have a
valid signature. If the attacker only controls one of these inputs, the other
input must already contain an X.400 address as a CRL distribution point, which
is uncommon. As such, this vulnerability is most likely to only affect
applications which have implemented their own functionality for retrieving CRLs
over a network.
Publish Date: 2023-02-08
URL: CVE-2023-0286
CVSS 3 Score Details (7.4)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-x4qr-2fvf-3mr5
Release Date: 2023-02-08
Fix Resolution: openssl-3.0.8;cryptography - 39.0.1;openssl-src - 111.25.0+1.1.1t,300.0.12+3.0.8,openssl - 1.1.1u,openssl - 3.0.9,openssl - 1.1.1u,openssl - 3.0.9
Step up your Open Source Security Game with Mend here
Vulnerable Library - cryptography-3.4.7-cp36-abi3-manylinux2014_x86_64.whl
cryptography is a package which provides cryptographic recipes and primitives to Python developers.
Library home page: https://files.pythonhosted.org/packages/b2/26/7af637e6a7e87258b963f1731c5982fb31cd507f0d90d91836e446955d02/cryptography-3.4.7-cp36-abi3-manylinux2014_x86_64.whl
Path to dependency file: /blockchain/requirements.txt
Path to vulnerable library: /blockchain/requirements.txt
Dependency Hierarchy:
Found in HEAD commit: 56243b6f6a9d69dc996086fd1497f2255877936c
Found in base branch: main
Vulnerability Details
cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Prior to 46.0.5, the public_key_from_numbers (or EllipticCurvePublicNumbers.public_key()), EllipticCurvePublicNumbers.public_key(), load_der_public_key() and load_pem_public_key() functions do not verify that the point belongs to the expected prime-order subgroup of the curve. This missing validation allows an attacker to provide a public key point P from a small-order subgroup. This can lead to security issues in various situations, such as the most commonly used signature verification (ECDSA) and shared key negotiation (ECDH). When the victim computes the shared secret as S = [victim_private_key]P via ECDH, this leaks information about victim_private_key mod (small_subgroup_order). For curves with cofactor > 1, this reveals the least significant bits of the private key. When these weak public keys are used in ECDSA , it's easy to forge signatures on the small subgroup. Only SECT curves are impacted by this. This vulnerability is fixed in 46.0.5.
Publish Date: 2026-02-10
URL: CVE-2026-26007
CVSS 3 Score Details (5.9)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-r6ph-v2qm-q3c2
Release Date: 2026-02-10
Fix Resolution: 46.0.5
Step up your Open Source Security Game with Mend here
Vulnerable Library - cryptography-3.4.7-cp36-abi3-manylinux2014_x86_64.whl
cryptography is a package which provides cryptographic recipes and primitives to Python developers.
Library home page: https://files.pythonhosted.org/packages/b2/26/7af637e6a7e87258b963f1731c5982fb31cd507f0d90d91836e446955d02/cryptography-3.4.7-cp36-abi3-manylinux2014_x86_64.whl
Path to dependency file: /blockchain/requirements.txt
Path to vulnerable library: /blockchain/requirements.txt
Dependency Hierarchy:
Found in HEAD commit: 56243b6f6a9d69dc996086fd1497f2255877936c
Found in base branch: main
Vulnerability Details
cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Calling "load_pem_pkcs7_certificates" or "load_der_pkcs7_certificates" could lead to a NULL-pointer dereference and segfault. Exploitation of this vulnerability poses a serious risk of Denial of Service (DoS) for any application attempting to deserialize a PKCS7 blob/certificate. The consequences extend to potential disruptions in system availability and stability. This vulnerability has been patched in version 41.0.6.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2023-11-29
URL: CVE-2023-49083
CVSS 3 Score Details (5.9)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-49083
Release Date: 2023-11-29
Fix Resolution: 41.0.6
Step up your Open Source Security Game with Mend here
Vulnerable Library - cryptography-3.4.7-cp36-abi3-manylinux2014_x86_64.whl
cryptography is a package which provides cryptographic recipes and primitives to Python developers.
Library home page: https://files.pythonhosted.org/packages/b2/26/7af637e6a7e87258b963f1731c5982fb31cd507f0d90d91836e446955d02/cryptography-3.4.7-cp36-abi3-manylinux2014_x86_64.whl
Path to dependency file: /blockchain/requirements.txt
Path to vulnerable library: /blockchain/requirements.txt
Dependency Hierarchy:
Found in HEAD commit: 56243b6f6a9d69dc996086fd1497f2255877936c
Found in base branch: main
Vulnerability Details
Issue summary: Processing a maliciously formatted PKCS12 file may lead OpenSSL
to crash leading to a potential Denial of Service attack
Impact summary: Applications loading files in the PKCS12 format from untrusted
sources might terminate abruptly.
A file in PKCS12 format can contain certificates and keys and may come from an
untrusted source. The PKCS12 specification allows certain fields to be NULL, but
OpenSSL does not correctly check for this case. This can lead to a NULL pointer
dereference that results in OpenSSL crashing. If an application processes PKCS12
files from an untrusted source using the OpenSSL APIs then that application will
be vulnerable to this issue.
OpenSSL APIs that are vulnerable to this are: PKCS12_parse(),
PKCS12_unpack_p7data(), PKCS12_unpack_p7encdata(), PKCS12_unpack_authsafes()
and PKCS12_newpass().
We have also fixed a similar issue in SMIME_write_PKCS7(). However since this
function is related to writing data we do not consider it security significant.
The FIPS modules in 3.2, 3.1 and 3.0 are not affected by this issue.
Publish Date: 2024-01-26
URL: CVE-2024-0727
CVSS 3 Score Details (5.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://openssl-library.org/news/vulnerabilities/#CVE-2024-0727
Release Date: 2024-01-26
Fix Resolution: openssl - 1.1.1x,openssl - 3.0.13,openssl - 3.0.13,openssl - 3.1.5,openssl - 3.1.5,openssl - 3.2.1,openssl - 3.2.1,openssl - 1.1.1x,https://github.com/openssl/openssl.git - openssl-1.1.1x,https://github.com/openssl/openssl.git - openssl-3.1.5,https://github.com/openssl/openssl.git - openssl-3.2.1,https://github.com/openssl/openssl.git - openssl-3.0.13,https://github.com/openssl/openssl.git - openssl-1.0.2zj
Step up your Open Source Security Game with Mend here
Vulnerable Library - cryptography-3.4.7-cp36-abi3-manylinux2014_x86_64.whl
cryptography is a package which provides cryptographic recipes and primitives to Python developers.
Library home page: https://files.pythonhosted.org/packages/b2/26/7af637e6a7e87258b963f1731c5982fb31cd507f0d90d91836e446955d02/cryptography-3.4.7-cp36-abi3-manylinux2014_x86_64.whl
Path to dependency file: /blockchain/requirements.txt
Path to vulnerable library: /blockchain/requirements.txt
Dependency Hierarchy:
Found in HEAD commit: 56243b6f6a9d69dc996086fd1497f2255877936c
Found in base branch: main
Vulnerability Details
cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. In affected versions "Cipher.update_into" would accept Python objects which implement the buffer protocol, but provide only immutable buffers. This would allow immutable objects (such as "bytes") to be mutated, thus violating fundamental rules of Python and resulting in corrupted output. This now correctly raises an exception. This issue has been present since "update_into" was originally introduced in cryptography 1.8.
Publish Date: 2023-02-07
URL: CVE-2023-23931
CVSS 3 Score Details (4.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-23931
Release Date: 2023-02-07
Fix Resolution: 39.0.1
Step up your Open Source Security Game with Mend here
Vulnerable Library - cryptography-3.4.7-cp36-abi3-manylinux2014_x86_64.whl
cryptography is a package which provides cryptographic recipes and primitives to Python developers.
Library home page: https://files.pythonhosted.org/packages/b2/26/7af637e6a7e87258b963f1731c5982fb31cd507f0d90d91836e446955d02/cryptography-3.4.7-cp36-abi3-manylinux2014_x86_64.whl
Path to dependency file: /blockchain/requirements.txt
Path to vulnerable library: /blockchain/requirements.txt
Dependency Hierarchy:
Found in HEAD commit: 56243b6f6a9d69dc996086fd1497f2255877936c
Found in base branch: main
Vulnerability Details
cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Prior to version 46.0.6, DNS name constraints were only validated against SANs within child certificates, and not the "peer name" presented during each validation. Consequently, cryptography would allow a peer named bar.example.com to validate against a wildcard leaf certificate for *.example.com, even if the leaf's parent certificate (or upwards) contained an excluded subtree constraint for bar.example.com. This issue has been patched in version 46.0.6.
Publish Date: 2026-03-31
URL: CVE-2026-34073
CVSS 3 Score Details (3.7)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-m959-cc7f-wv43
Release Date: 2026-03-28
Fix Resolution: cryptography - 46.0.6
Step up your Open Source Security Game with Mend here