GHSA-79V4-65XG-PQ4G

Vulnerability from github – Published: 2025-02-11 18:06 – Updated: 2025-02-12 18:20
VLAI
Summary
Vulnerable OpenSSL included in cryptography wheels
Details

pyca/cryptography's wheels include a statically linked copy of OpenSSL. The versions of OpenSSL included in cryptography 42.0.0-44.0.0 are vulnerable to a security issue. More details about the vulnerability itself can be found in https://openssl-library.org/news/secadv/20250211.txt.

If you are building cryptography source ("sdist") then you are responsible for upgrading your copy of OpenSSL. Only users installing from wheels built by the cryptography project (i.e., those distributed on PyPI) need to update their cryptography versions.

Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "cryptography"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "42.0.0"
            },
            {
              "fixed": "44.0.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-12797"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1395",
      "CWE-392"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-02-11T18:06:42Z",
    "nvd_published_at": "2025-02-11T16:15:38Z",
    "severity": "LOW"
  },
  "details": "pyca/cryptography\u0027s wheels include a statically linked copy of OpenSSL. The versions of OpenSSL included in cryptography 42.0.0-44.0.0 are vulnerable to a security issue. More details about the vulnerability itself can be found in https://openssl-library.org/news/secadv/20250211.txt.\n\nIf you are building cryptography source (\"sdist\") then you are responsible for upgrading your copy of OpenSSL. Only users installing from wheels built by the cryptography project (i.e., those distributed on PyPI) need to update their cryptography versions.",
  "id": "GHSA-79v4-65xg-pq4g",
  "modified": "2025-02-12T18:20:06Z",
  "published": "2025-02-11T18:06:42Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/pyca/cryptography/security/advisories/GHSA-79v4-65xg-pq4g"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-12797"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openssl/openssl/commit/738d4f9fdeaad57660dcba50a619fafced3fd5e9"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openssl/openssl/commit/798779d43494549b611233f92652f0da5328fbe7"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openssl/openssl/commit/87ebd203feffcf92ad5889df92f90bb0ee10a699"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/pyca/cryptography"
    },
    {
      "type": "WEB",
      "url": "https://openssl-library.org/news/secadv/20250211.txt"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2025/02/11/3"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2025/02/11/4"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "Vulnerable OpenSSL included in cryptography wheels"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.