Access of Resource Using Incompatible Type ('Type Confusion') Affecting cryptography package, versions [,39.0.1)


Severity

Recommended
0.0
high
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.42% (74th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Access of Resource Using Incompatible Type ('Type Confusion') vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-PYTHON-CRYPTOGRAPHY-3315328
  • published8 Feb 2023
  • disclosed7 Feb 2023
  • creditDavid Benjamin

Introduced: 7 Feb 2023

CVE-2023-0286  (opens in a new tab)
CWE-843  (opens in a new tab)

How to fix?

Upgrade cryptography to version 39.0.1 or higher.

Overview

Affected versions of this package are vulnerable to Access of Resource Using Incompatible Type ('Type Confusion') in x509/v3_genn.c, when processing X.400 addresses with CRL checking enabled (e.g. when X509_V_FLAG_CRL_CHECK is set). An attacker in possession of both the certificate chain and CRL, of which neither needs a valid signature, can expose memory or cause a denial of service. If the attacker only controls one of these inputs, the other input must already contain an X.400 address as a CRL distribution point, which is uncommon.

CVSS Scores

version 3.1