CVE-2020-36242

moderate-risk
Published 2021-02-07

In the cryptography package before 3.3.2 for Python, certain sequences of update calls to symmetrically encrypt multi-GB values could result in an integer overflow and buffer overflow, as demonstrated by the Fernet class.

Do I need to act?

~
1.6% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
9
CVSS 9.1/10 Critical
NETWORK / LOW complexity

Affected Products (3)

Cryptography

Affected Vendors

Oracle Fedoraproject Cryptography.Io

References (12)

Release Notes https://github.com/pyca/cryptography/blob/master/CHANGELOG.rst
Patch https://github.com/pyca/cryptography/compare/3.3.1...3.3.2
Exploit https://github.com/pyca/cryptography/issues/5615
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro...
Patch https://www.oracle.com/security-alerts/cpuapr2022.html
Patch https://www.oracle.com/security-alerts/cpujul2022.html
Release Notes https://github.com/pyca/cryptography/blob/master/CHANGELOG.rst
Patch https://github.com/pyca/cryptography/compare/3.3.1...3.3.2
Exploit https://github.com/pyca/cryptography/issues/5615
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro...
Patch https://www.oracle.com/security-alerts/cpuapr2022.html
Patch https://www.oracle.com/security-alerts/cpujul2022.html
44
/ 100
moderate-risk
Severity 31/34 · Critical
Exploitability 4/34 · Minimal
Exposure 9/34 · Low