PT-2021-7287 · Pypi+8 · Cryptography+8
Published
2020-12-09
·
Updated
2025-10-05
·
CVE-2020-36242
CVSS v2.0
10
Critical
| Vector | AV:N/AC:L/Au:N/C:C/I:C/A:C |
Name of the Vulnerable Software and Affected Versions
cryptography versions prior to 3.3.2
Description
The issue is related to an integer overflow in the cryptography package for Python. This overflow can occur when certain sequences of update calls are made to symmetrically encrypt multi-GB values, potentially leading to a buffer overflow. An attacker could exploit this issue by sending specially crafted data, allowing them to execute arbitrary code in the target system. The Fernet class is specifically mentioned as demonstrating this vulnerability.
Recommendations
For versions prior to 3.3.2, update to version 3.3.2 or newer to resolve the issue. As a temporary workaround, consider restricting the use of large values in symmetric encryption or decryption to minimize the risk of exploitation. Avoid using the
update() function with multi-GB values until the issue is resolved.Exploit
Fix
DoS
Memory Corruption
Integer Overflow
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Alt Linux
Astra Linux
Centos
Red Hat
Red Os
Rocky Linux
Suse
Zvirt Node
Cryptography