CVE-2024-26130 (High) detected in cryptography-41.0.7-cp37-abi3-manylinux_2_28_x86_64.whl

## CVE-2024-26130 - High Severity Vulnerability
<details><summary><img src='https://whitesource-resources.whitesourcesoftware.com/vulnerability_details.png' width=19 height=20> Vulnerable Library - cryptography-41.0.7-cp37-abi3-manylinux_2_28_x86_64.whl</summary>

cryptography is a package which provides cryptographic recipes and primitives to Python developers.
Library home page: <a href="https://files.pythonhosted.org/packages/62/bd/69628ab50368b1beb900eb1de5c46f8137169b75b2458affe95f2f470501/cryptography-41.0.7-cp37-abi3-manylinux_2_28_x86_64.whl">https://files.pythonhosted.org/packages/62/bd/69628ab50368b1beb900eb1de5c46f8137169b75b2458affe95f2f470501/cryptography-41.0.7-cp37-abi3-manylinux_2_28_x86_64.whl</a>
Path to dependency file: /src/tea-cli/.ws-temp-CUESWI-requirements.txt
Path to vulnerable library: /home/wss-scanner/.cache/pypoetry/virtualenvs/tea-cli-vORNsNti-py3.11/lib/python3.11/site-packages/cryptography-41.0.7.dist-info


Dependency Hierarchy:
 - :x: **cryptography-41.0.7-cp37-abi3-manylinux_2_28_x86_64.whl** (Vulnerable Library)
Found in HEAD commit: <a href="https://github.com/asfadmin/thin-egress-app/commit/10d61b2746d4a6d810ae62627bd11db903909b67">10d61b2746d4a6d810ae62627bd11db903909b67</a>
Found in base branch: main

</details>

<details><summary><img src='https://whitesource-resources.whitesourcesoftware.com/high_vul.png?' width=19 height=20> Vulnerability Details</summary>
 
 
cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Starting in version 38.0.0 and prior to version 42.0.4, if "pkcs12.serialize_key_and_certificates" is called with both a certificate whose public key did not match the provided private key and an "encryption_algorithm" with "hmac_hash" set (via "PrivateFormat.PKCS12.encryption_builder().hmac_hash(...)", then a NULL pointer dereference would occur, crashing the Python process. This has been resolved in version 42.0.4, the first version in which a "ValueError" is properly raised.
 Mend Note: The description of this vulnerability differs from MITRE. 

Publish Date: 2024-02-21
URL: <a href=https://www.mend.io/vulnerability-database/CVE-2024-26130>CVE-2024-26130</a>

</details>

<details><summary><img src='https://whitesource-resources.whitesourcesoftware.com/cvss3.png' width=19 height=20> CVSS 3 Score Details (7.5)</summary>


Base Score Metrics:
- Exploitability Metrics:
 - Attack Vector: Network
 - Attack Complexity: Low
 - Privileges Required: None
 - User Interaction: None
 - Scope: Unchanged
- Impact Metrics:
 - Confidentiality Impact: None
 - Integrity Impact: None
 - Availability Impact: High

For more information on CVSS3 Scores, click <a href="https://www.first.org/cvss/calculator/3.0">here</a>.

</details>

<details><summary><img src='https://whitesource-resources.whitesourcesoftware.com/suggested_fix.png' width=19 height=20> Suggested Fix</summary>


Type: Upgrade version
Origin: <a href="https://github.com/pyca/cryptography/security/advisories/GHSA-6vqw-3v5j-54x4">https://github.com/pyca/cryptography/security/advisories/GHSA-6vqw-3v5j-54x4</a>
Release Date: 2024-02-21
Fix Resolution: 42.0.4


</details>


***
Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

CVE-2024-26130 (High) detected in cryptography-41.0.7-cp37-abi3-manylinux_2_28_x86_64.whl #800

CVE-2024-26130 - High Severity Vulnerability

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

CVE-2024-26130 (High) detected in cryptography-41.0.7-cp37-abi3-manylinux_2_28_x86_64.whl #800

Description

CVE-2024-26130 - High Severity Vulnerability

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions