CVE-2023-50782 (High) detected in cryptography-41.0.7-cp37-abi3-manylinux_2_28_x86_64.whl

[mend-bolt-for-github]

CVE-2023-50782 - High Severity Vulnerability

Vulnerable Library - cryptography-41.0.7-cp37-abi3-manylinux_2_28_x86_64.whl

cryptography is a package which provides cryptographic recipes and primitives to Python developers.

Library home page: https://files.pythonhosted.org/packages/62/bd/69628ab50368b1beb900eb1de5c46f8137169b75b2458affe95f2f470501/cryptography-41.0.7-cp37-abi3-manylinux_2_28_x86_64.whl

Path to dependency file: /src/tea-cli/.ws-temp-CUESWI-requirements.txt

Path to vulnerable library: /home/wss-scanner/.cache/pypoetry/virtualenvs/tea-cli-vORNsNti-py3.11/lib/python3.11/site-packages/cryptography-41.0.7.dist-info

Dependency Hierarchy:

• ❌ cryptography-41.0.7-cp37-abi3-manylinux_2_28_x86_64.whl (Vulnerable Library)

Found in HEAD commit: 10d61b2746d4a6d810ae62627bd11db903909b67

Found in base branch: main

Vulnerability Details

A flaw was found in the python-cryptography package. This issue may allow a remote attacker to decrypt captured messages in TLS servers that use RSA key exchanges, which may lead to exposure of confidential or sensitive data.

Publish Date: 2024-02-05

URL: CVE-2023-50782

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-3ww4-gg4f-jr7f

Release Date: 2024-02-05

Fix Resolution: 42.0.0

---

Step up your Open Source Security Game with Mend here

[mend-bolt-for-github]

ℹ️ This issue was automatically re-opened by Mend because the vulnerable library in the specific branch(es) has been detected in the Mend inventory.