Description
CPython 3.9 and earlier doesn't disallow configuring an empty list ("[]") for SSLContext.set_npn_protocols() which is an invalid value for the underlying OpenSSL API. This results in a buffer over-read when NPN is used (see CVE-2024-5535 for OpenSSL). This vulnerability is of low severity due to NPN being not widely used and specifying an empty list likely being uncommon in-practice (typically a protocol name would be configured).
References (8)
Core 8
Core References
Issue Tracking issue-tracking
https://github.com/python/cpython/issues/121227
Issue Tracking mitigation
https://github.com/python/cpython/pull/23014
Vendor Advisory
https://security.netapp.com/advisory/ntap-20240726-0005/
Various Sources third-party-advisory
https://jbp.io/2024/06/27/cve-2024-5535-openssl-memory-safety.html
Various Sources vendor-advisory
https://mail.python.org/archives/list/[email protected]/thread/PLP2JI3PJY33YG6P5BZYSSNU66HASXBQ/
Scores
CVSS v3
6.5
EPSS
0.0019
EPSS Percentile
40.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
Status
published
Products (3)
Python Software Foundation/CPython
< 3.10.0b1
Python Software Foundation/CPython
< 3.9.24
Python Software Foundation/CPython
3.10.0a1 - 3.10.0b1
Published
Jun 27, 2024
Tracked Since
Feb 18, 2026