OpenCVE

CPython 3.9 and earlier doesn't disallow configuring an empty list ("[]") for SSLContext.set_npn_protocols() which is an invalid value for the underlying OpenSSL API. This results in a buffer over-read when NPN is used (see CVE-2024-5535 for OpenSSL). This vulnerability is of low severity due to NPN being not widely used and specifying an empty list likely being uncommon in-practice (typically a protocol name would be configured).

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

No data.

No data.

No data.

References

Link	Providers
http://www.openwall.com/lists/oss-security/2024/06/28/4
https://github.com/python/cpython/commit/39258d3595300bc7b952854c915f63ae2d4b9c3e
https://github.com/python/cpython/issues/121227
https://github.com/python/cpython/pull/23014
https://jbp.io/2024/06/27/cve-2024-5535-openssl-memory-safety.html
https://mail.python.org/archives/list/security-announce@python.org/thread/PLP2JI3PJY33YG6P5BZYSSNU66HASXBQ/
https://nvd.nist.gov/vuln/detail/CVE-2024-5642
https://security.netapp.com/advisory/ntap-20240726-0005/
https://www.cve.org/CVERecord?id=CVE-2024-5642

History

Wed, 06 Nov 2024 21:15:00 +0000

Type	Values Removed	Values Added
Metrics	cvssV3_1 `{'score': 2.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L'}`	ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}` cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L'}`

MITRE

Status: PUBLISHED

Assigner: PSF

Published: 2024-06-27T21:05:31.281Z

Updated: 2024-11-06T20:14:30.590Z

Reserved: 2024-06-04T18:40:21.539Z

Link: CVE-2024-5642

Vulnrichment

Updated: 2024-08-01T21:18:06.642Z

NVD

Status : Awaiting Analysis

Published: 2024-06-27T21:15:16.070

Modified: 2024-11-21T09:48:04.713

Link: CVE-2024-5642

Redhat

Severity : Low

Publid Date: 2024-06-27T00:00:00Z

Links: CVE-2024-5642 - Bugzilla

{"dataType": "CVE_RECORD", "cveMetadata": {"cveId": "CVE-2024-5642", "assignerOrgId": "28c92f92-d60d-412d-b760-e73465c3df22", "state": "PUBLISHED", "assignerShortName": "PSF", "dateReserved": "2024-06-04T18:40:21.539Z", "datePublished": "2024-06-27T21:05:31.281Z", "dateUpdated": "2024-11-06T20:14:30.590Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "CPython", "repo": "https://github.com/python/cpython", "vendor": "Python Software Foundation", "versions": [{"lessThan": "3.10.0b1", "status": "affected", "version": "0", "versionType": "python"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "CPython 3.9 and earlier doesn't disallow configuring an empty list (\"[]\") for SSLContext.set_npn_protocols() which is an invalid value for the underlying OpenSSL API. This results in a buffer over-read when NPN is used (see <span style=\"background-color: oklab(0.0852327 0.00000386313 0.00000170618 / 0.06);\">CVE</span><span style=\"background-color: oklab(0.0852327 0.00000386313 0.00000170618 / 0.06);\">-2024</span><span style=\"background-color: oklab(0.0852327 0.00000386313 0.00000170618 / 0.06);\">-5535</span> for OpenSSL). This vulnerability is of low severity due to NPN being not widely used and specifying an empty list likely being uncommon in-practice (typically a protocol name would be configured).<br>"}], "value": "CPython 3.9 and earlier doesn't disallow configuring an empty list (\"[]\") for SSLContext.set_npn_protocols() which is an invalid value for the underlying OpenSSL API. This results in a buffer over-read when NPN is used (see CVE-2024-5535 for OpenSSL). This vulnerability is of low severity due to NPN being not widely used and specifying an empty list likely being uncommon in-practice (typically a protocol name would be configured)."}], "providerMetadata": {"orgId": "28c92f92-d60d-412d-b760-e73465c3df22", "shortName": "PSF", "dateUpdated": "2024-07-01T13:51:32.404Z"}, "references": [{"tags": ["third-party-advisory"], "url": "https://jbp.io/2024/06/27/cve-2024-5535-openssl-memory-safety.html"}, {"tags": ["mitigation"], "url": "https://github.com/python/cpython/pull/23014"}, {"tags": ["vendor-advisory"], "url": "https://mail.python.org/archives/list/security-announce@python.org/thread/PLP2JI3PJY33YG6P5BZYSSNU66HASXBQ/"}, {"tags": ["patch"], "url": "https://github.com/python/cpython/commit/39258d3595300bc7b952854c915f63ae2d4b9c3e"}, {"url": "http://www.openwall.com/lists/oss-security/2024/06/28/4"}, {"tags": ["issue-tracking"], "url": "https://github.com/python/cpython/issues/121227"}, {"url": "https://security.netapp.com/advisory/ntap-20240726-0005/"}], "source": {"discovery": "UNKNOWN"}, "title": "Buffer overread when using an empty list with SSLContext.set_npn_protocols()", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-noinfo Not enough information"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2024-06-28T13:47:34.169947Z", "id": "CVE-2024-5642", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-11-06T20:14:30.590Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T21:18:06.642Z"}, "title": "CVE Program Container", "references": [{"tags": ["third-party-advisory", "x_transferred"], "url": "https://jbp.io/2024/06/27/cve-2024-5535-openssl-memory-safety.html"}, {"tags": ["mitigation", "x_transferred"], "url": "https://github.com/python/cpython/pull/23014"}, {"tags": ["vendor-advisory", "x_transferred"], "url": "https://mail.python.org/archives/list/security-announce@python.org/thread/PLP2JI3PJY33YG6P5BZYSSNU66HASXBQ/"}, {"tags": ["patch", "x_transferred"], "url": "https://github.com/python/cpython/commit/39258d3595300bc7b952854c915f63ae2d4b9c3e"}, {"url": "http://www.openwall.com/lists/oss-security/2024/06/28/4", "tags": ["x_transferred"]}, {"tags": ["issue-tracking", "x_transferred"], "url": "https://github.com/python/cpython/issues/121227"}, {"url": "https://security.netapp.com/advisory/ntap-20240726-0005/", "tags": ["x_transferred"]}]}]}, "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://jbp.io/2024/06/27/cve-2024-5535-openssl-memory-safety.html", "tags": ["third-party-advisory", "x_transferred"]}, {"url": "https://github.com/python/cpython/pull/23014", "tags": ["mitigation", "x_transferred"]}, {"url": "https://mail.python.org/archives/list/security-announce@python.org/thread/PLP2JI3PJY33YG6P5BZYSSNU66HASXBQ/", "tags": ["vendor-advisory", "x_transferred"]}, {"url": "https://github.com/python/cpython/commit/39258d3595300bc7b952854c915f63ae2d4b9c3e", "tags": ["patch", "x_transferred"]}, {"url": "http://www.openwall.com/lists/oss-security/2024/06/28/4", "tags": ["x_transferred"]}, {"url": "https://github.com/python/cpython/issues/121227", "tags": ["issue-tracking", "x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20240726-0005/", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T21:18:06.642Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2024-5642", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-06-28T13:47:34.169947Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "description": "CWE-noinfo Not enough information"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-28T13:47:40.782Z"}}], "cna": {"title": "Buffer overread when using an empty list with SSLContext.set_npn_protocols()", "source": {"discovery": "UNKNOWN"}, "affected": [{"repo": "https://github.com/python/cpython", "vendor": "Python Software Foundation", "product": "CPython", "versions": [{"status": "affected", "version": "0", "lessThan": "3.10.0b1", "versionType": "python"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://jbp.io/2024/06/27/cve-2024-5535-openssl-memory-safety.html", "tags": ["third-party-advisory"]}, {"url": "https://github.com/python/cpython/pull/23014", "tags": ["mitigation"]}, {"url": "https://mail.python.org/archives/list/security-announce@python.org/thread/PLP2JI3PJY33YG6P5BZYSSNU66HASXBQ/", "tags": ["vendor-advisory"]}, {"url": "https://github.com/python/cpython/commit/39258d3595300bc7b952854c915f63ae2d4b9c3e", "tags": ["patch"]}, {"url": "http://www.openwall.com/lists/oss-security/2024/06/28/4"}, {"url": "https://github.com/python/cpython/issues/121227", "tags": ["issue-tracking"]}, {"url": "https://security.netapp.com/advisory/ntap-20240726-0005/"}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "CPython 3.9 and earlier doesn't disallow configuring an empty list (\"[]\") for SSLContext.set_npn_protocols() which is an invalid value for the underlying OpenSSL API. This results in a buffer over-read when NPN is used (see CVE-2024-5535 for OpenSSL). This vulnerability is of low severity due to NPN being not widely used and specifying an empty list likely being uncommon in-practice (typically a protocol name would be configured).", "supportingMedia": [{"type": "text/html", "value": "CPython 3.9 and earlier doesn't disallow configuring an empty list (\"[]\") for SSLContext.set_npn_protocols() which is an invalid value for the underlying OpenSSL API. This results in a buffer over-read when NPN is used (see <span style=\"background-color: oklab(0.0852327 0.00000386313 0.00000170618 / 0.06);\">CVE</span><span style=\"background-color: oklab(0.0852327 0.00000386313 0.00000170618 / 0.06);\">-2024</span><span style=\"background-color: oklab(0.0852327 0.00000386313 0.00000170618 / 0.06);\">-5535</span> for OpenSSL). This vulnerability is of low severity due to NPN being not widely used and specifying an empty list likely being uncommon in-practice (typically a protocol name would be configured).<br>", "base64": false}]}], "providerMetadata": {"orgId": "28c92f92-d60d-412d-b760-e73465c3df22", "shortName": "PSF", "dateUpdated": "2024-07-01T13:51:32.404Z"}}}, "cveMetadata": {"cveId": "CVE-2024-5642", "state": "PUBLISHED", "dateUpdated": "2024-11-06T20:14:30.590Z", "dateReserved": "2024-06-04T18:40:21.539Z", "assignerOrgId": "28c92f92-d60d-412d-b760-e73465c3df22", "datePublished": "2024-06-27T21:05:31.281Z", "assignerShortName": "PSF"}, "dataVersion": "5.1"}

{"descriptions": [{"lang": "en", "value": "CPython 3.9 and earlier doesn't disallow configuring an empty list (\"[]\") for SSLContext.set_npn_protocols() which is an invalid value for the underlying OpenSSL API. This results in a buffer over-read when NPN is used (see CVE-2024-5535 for OpenSSL). This vulnerability is of low severity due to NPN being not widely used and specifying an empty list likely being uncommon in-practice (typically a protocol name would be configured)."}, {"lang": "es", "value": "CPython 3.9 y versiones anteriores no permiten la configuraci\u00f3n de una lista vac\u00eda (\"[]\") para SSLContext.set_npn_protocols(), que es un valor no v\u00e1lido para la API OpenSSL subyacente. Esto da como resultado una lectura excesiva del b\u00fafer cuando se utiliza NPN (consulte CVE-2024-5535 para OpenSSL). Esta vulnerabilidad es de baja gravedad debido a que NPN no se usa ampliamente y especificar una lista vac\u00eda probablemente sea poco com\u00fan en la pr\u00e1ctica (normalmente se configurar\u00eda un nombre de protocolo)."}], "id": "CVE-2024-5642", "lastModified": "2024-11-21T09:48:04.713", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.5, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2024-06-27T21:15:16.070", "references": [{"source": "cna@python.org", "url": "http://www.openwall.com/lists/oss-security/2024/06/28/4"}, {"source": "cna@python.org", "url": "https://github.com/python/cpython/commit/39258d3595300bc7b952854c915f63ae2d4b9c3e"}, {"source": "cna@python.org", "url": "https://github.com/python/cpython/issues/121227"}, {"source": "cna@python.org", "url": "https://github.com/python/cpython/pull/23014"}, {"source": "cna@python.org", "url": "https://jbp.io/2024/06/27/cve-2024-5535-openssl-memory-safety.html"}, {"source": "cna@python.org", "url": "https://mail.python.org/archives/list/security-announce@python.org/thread/PLP2JI3PJY33YG6P5BZYSSNU66HASXBQ/"}, {"source": "cna@python.org", "url": "https://security.netapp.com/advisory/ntap-20240726-0005/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2024/06/28/4"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/python/cpython/commit/39258d3595300bc7b952854c915f63ae2d4b9c3e"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/python/cpython/issues/121227"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://github.com/python/cpython/pull/23014"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://jbp.io/2024/06/27/cve-2024-5535-openssl-memory-safety.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://mail.python.org/archives/list/security-announce@python.org/thread/PLP2JI3PJY33YG6P5BZYSSNU66HASXBQ/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://security.netapp.com/advisory/ntap-20240726-0005/"}], "sourceIdentifier": "cna@python.org", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "python: Invalid value for OpenSSL API may cause Buffer over-read when NPN is used", "id": "2294682", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2294682"}, "csaw": false, "cvss3": {"cvss3_base_score": "2.7", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L", "status": "draft"}, "cwe": "CWE-20", "details": ["CPython 3.9 and earlier doesn't disallow configuring an empty list (\"[]\") for SSLContext.set_npn_protocols() which is an invalid value for the underlying OpenSSL API. This results in a buffer over-read when NPN is used (see CVE-2024-5535 for OpenSSL). This vulnerability is of low severity due to NPN being not widely used and specifying an empty list likely being uncommon in-practice (typically a protocol name would be configured).", "A vulnerability was found in Python/CPython that does not disallow configuring an empty list (\"[]\") for SSLContext.set_npn_protocols(), which is an invalid value for the underlying OpenSSL API. This issue results in a buffer over-read when NPN is used. See CVE -2024-5535 for OpenSSL for more information."], "name": "CVE-2024-5642", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "python", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "python", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "python3", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "gimp:flatpak/python2", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "inkscape:flatpak/python2", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "python27:2.7/python2", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "python3", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "python3.11", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "python3.12", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "python36:3.6/python36", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "python39:3.9/python39", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "python39-devel:3.9/python39", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "python3.11", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "python3.12", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "python3.9", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2024-06-27T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-5642\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-5642\nhttps://mail.python.org/archives/list/security-announce@python.org/thread/PLP2JI3PJY33YG6P5BZYSSNU66HASXBQ/"], "statement": "This vulnerability is rated with a Low severity due to NPN not being widely used and specifying an empty list is likely uncommon in practice. Typically, a protocol name would be configured.", "threat_severity": "Low"}