Homepage
About Snyk

Access of Resource Using Incompatible Type ('Type Confusion') Affecting cryptography package, versions [,39.0.1)

0.0
high

Snyk CVSS

    Attack Complexity High
    Confidentiality High
    Availability High

    Threat Intelligence

    EPSS 0.21% (59th percentile)
Expand this section
NVD
7.4 high
Expand this section
SUSE
7.4 high
Expand this section
Red Hat
7.4 high

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-PYTHON-CRYPTOGRAPHY-3315328
  • published 8 Feb 2023
  • disclosed 7 Feb 2023
  • credit David Benjamin
Report a new vulnerability Found a mistake?

Introduced: 7 Feb 2023

CVE-2023-0286 Open this link in a new tab
CWE-843 Open this link in a new tab

How to fix?

Upgrade cryptography to version 39.0.1 or higher.

Overview

Affected versions of this package are vulnerable to Access of Resource Using Incompatible Type ('Type Confusion') in x509/v3_genn.c, when processing X.400 addresses with CRL checking enabled (e.g. when X509_V_FLAG_CRL_CHECK is set). An attacker in possession of both the certificate chain and CRL, of which neither needs a valid signature, can expose memory or cause a denial of service. If the attacker only controls one of these inputs, the other input must already contain an X.400 address as a CRL distribution point, which is uncommon.