Closed
Description
CVE-2020-36242 references github.com/pyca/cryptography, which may be a Go module.
Description:
In the cryptography package before 3.3.2 for Python, certain sequences of update calls to symmetrically encrypt multi-GB values could result in an integer overflow and buffer overflow, as demonstrated by the Fernet class.
Links:
- NIST: https://nvd.nist.gov/vuln/detail/CVE-2020-36242
- JSON: https://github.com/CVEProject/cvelist/tree/7d751fe042699f3876b56694798ea6e964c51147/2020/36xxx/CVE-2020-36242.json
- https://github.com/pyca/cryptography/blob/master/CHANGELOG.rst
- pyca/cryptography@3.3.1...3.3.2
- Fernet fails to encrypt/decrypt large data pyca/cryptography#5615
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L7RGQLK4J5ZQFRLKCHVVG6BKZTUQMG7E/
- https://www.oracle.com/security-alerts/cpuapr2022.html
See doc/triage.md for instructions on how to triage this report.
module: github.com/pyca/cryptography
package: n/a
description: |
In the cryptography package before 3.3.2 for Python, certain sequences of update calls to symmetrically encrypt multi-GB values could result in an integer overflow and buffer overflow, as demonstrated by the Fernet class.
cves:
- CVE-2020-36242
links:
context:
- https://github.com/pyca/cryptography/blob/master/CHANGELOG.rst
- https://github.com/pyca/cryptography/compare/3.3.1...3.3.2
- https://github.com/pyca/cryptography/issues/5615
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L7RGQLK4J5ZQFRLKCHVVG6BKZTUQMG7E/
- https://www.oracle.com/security-alerts/cpuapr2022.html