Vulnerability CVE-2020-36242

Vulnerability Name:

CVE-2020-36242 (CCN-196426)

Assigned:

2020-12-09

Published:

2020-12-09

Updated:

2022-12-06

Summary:

In the cryptography package before 3.3.2 for Python, certain sequences of update calls to symmetrically encrypt multi-GB values could result in an integer overflow and buffer overflow, as demonstrated by the Fernet class.

CVSS v3 Severity:

9.1 Critical (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H)
7.9 High (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): High Integrity (I): None Availibility (A): High

9.1 Critical (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H)
7.9 High (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): High Integrity (I): None Availibility (A): High

8.2 High (REDHAT CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H)
7.1 High (REDHAT Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): Low Integrity (I): None Availibility (A): High

CVSS v2 Severity:

6.4 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:P)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Authentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): None Availibility (A): Partial

9.4 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:C/I:N/A:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): None
Impact Metrics:	Confidentiality (C): Complete Integrity (I): None Availibility (A): Complete

Vulnerability Type:

CWE-119

Vulnerability Consequences:

Gain Access

References:

Source: MITRE
Type: CNA
CVE-2020-36242

Source: XF
Type: UNKNOWN
cryptography-cve202036242-overflow(196426)

Source: cve@mitre.org
Type: Release Notes, Third Party Advisory
cve@mitre.org

Source: cve@mitre.org
Type: Patch, Third Party Advisory
cve@mitre.org

Source: CCN
Type: cryptography GIT Repository
Fernet fails to encrypt/decrypt large data #5615

Source: cve@mitre.org
Type: Exploit, Patch, Third Party Advisory
cve@mitre.org

Source: cve@mitre.org
Type: Mailing List, Third Party Advisory
cve@mitre.org

Source: CCN
Type: IBM Security Bulletin 6469481 (Spectrum Discover)
Vulnerabilities in the Python, Python cryptography , and Urllib3 affect IBM Spectrum Discover

Source: CCN
Type: IBM Security Bulletin 6492741 (Watson Discovery)
IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in Python cryptography

Source: CCN
Type: IBM Security Bulletin 6507113 (Qradar Advisor)
IBM QRadar Advisor With Watson uses components with known vulnerabilities (CVE-2020-36242, CVE-2021-33503, CVE-2020-28493)

Source: CCN
Type: Oracle CPUApr2022
Oracle Critical Patch Update Advisory - April 2022

Source: cve@mitre.org
Type: Patch, Third Party Advisory
cve@mitre.org

Source: cve@mitre.org
Type: Patch, Third Party Advisory
cve@mitre.org

Vulnerable Configuration:

Configuration RedHat 1:

cpe:/o:redhat:enterprise_linux:8:*:*:*:*:*:*:*

Configuration RedHat 2:

cpe:/o:redhat:enterprise_linux:8::baseos:*:*:*:*:*

Configuration CCN 1:

cpe:/a:cryptography_project:cryptography:3.3.1:*:*:*:*:python:*:*

AND

cpe:/a:ibm:watson_discovery:2.0.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:watson_discovery:2.2.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:qradar_advisor:2.6.1:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:7770	P	python3-cryptography-3.3.2-150400.16.6.1 on GA media (Moderate)	2023-06-12
oval:org.opensuse.security:def:7667	P	libsmi-0.4.8-1.29 on GA media (Moderate)	2023-06-12
oval:org.opensuse.security:def:8172	P	Security update for grpc, protobuf, python-Deprecated, python-PyGithub, python-aiocontextvars, python-avro, python-bcrypt, python-cryptography, python-cryptography-vectors, python-google-api-core, python-googleapis-common-protos, python-grpcio-gcp, python-humanfriendly, python-jsondiff, python-knack, python-opencensus, python-opencensus-context, python-opencensus-ext-threading, python-opentelemetry-api, python-psutil, python-pytest-asyncio, python-requests, python-websocket-client, python-websockets (Important) (in QA)	2023-05-18
oval:org.opensuse.security:def:8185	P	Security update for grpc, protobuf, python-Deprecated, python-PyGithub, python-aiocontextvars, python-avro, python-bcrypt, python-cryptography, python-cryptography-vectors, python-google-api-core, python-googleapis-common-protos, python-grpcio-gcp, python-humanfriendly, python-jsondiff, python-knack, python-opencensus, python-opencensus-context, python-opencensus-ext-threading, python-opentelemetry-api, python-psutil, python-pytest-asyncio, python-requests, python-websocket-client, python-websockets (Important) (in QA)	2023-05-18
oval:org.opensuse.security:def:8197	P	Security update for grpc, protobuf, python-Deprecated, python-PyGithub, python-aiocontextvars, python-avro, python-bcrypt, python-cryptography, python-cryptography-vectors, python-google-api-core, python-googleapis-common-protos, python-grpcio-gcp, python-humanfriendly, python-jsondiff, python-knack, python-opencensus, python-opencensus-context, python-opencensus-ext-threading, python-opentelemetry-api, python-psutil, python-pytest-asyncio, python-requests, python-websocket-client, python-websockets (Important) (in QA)	2023-05-18
oval:org.opensuse.security:def:8111	P	Security update for grpc, protobuf, python-Deprecated, python-PyGithub, python-aiocontextvars, python-avro, python-bcrypt, python-cryptography, python-cryptography-vectors, python-google-api-core, python-googleapis-common-protos, python-grpcio-gcp, python-humanfriendly, python-jsondiff, python-knack, python-opencensus, python-opencensus-context, python-opencensus-ext-threading, python-opentelemetry-api, python-psutil, python-pytest-asyncio, python-requests, python-websocket-client, python-websockets (Important) (in QA)	2023-05-18
oval:org.opensuse.security:def:624	P	Security update for python-crcmod, python-cryptography, python-cryptography-vectors (Moderate) (in QA)	2022-09-26
oval:org.opensuse.security:def:3168	P	libevent-2_0-5-2.0.21-6.3.1 on GA media (Moderate)	2022-06-28
oval:org.opensuse.security:def:3566	P	libXt6-1.1.4-3.57 on GA media (Moderate)	2022-06-28
oval:org.opensuse.security:def:94678	P	libopus-devel-1.3.1-3.6.1 on GA media (Moderate)	2022-06-22
oval:org.opensuse.security:def:94798	P	python3-cryptography-2.8-10.1 on GA media (Moderate)	2022-06-22
oval:org.opensuse.security:def:284	P	python3-cryptography-2.8-3.6.1 on GA media (Moderate)	2022-06-13
oval:org.opensuse.security:def:93169	P	(Important)	2022-03-10
oval:org.opensuse.security:def:93322	P	(Moderate)	2022-02-18
oval:org.opensuse.security:def:99212	P	(Important)	2022-02-18
oval:org.opensuse.security:def:113259	P	python36-cryptography-3.3.2-2.4 on GA media (Moderate)	2022-01-17
oval:org.opensuse.security:def:106671	P	python36-cryptography-3.3.2-2.4 on GA media (Moderate)	2021-10-01
oval:org.opensuse.security:def:99409	P	(Important)	2021-08-24
oval:org.opensuse.security:def:101391	P	python3-hpack-3.0.0-3.2.1 on GA media (Moderate)	2021-08-10
oval:org.opensuse.security:def:1213	P	python3-cryptography-2.8-3.6.1 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:72043	P	python3-cryptography-2.8-3.6.1 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:101060	P	python3-cryptography-2.8-3.6.1 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:62302	P	python3-cryptography-2.8-3.6.1 on GA media (Moderate)	2021-08-09
oval:com.redhat.rhsa:def:20211608	P	RHSA-2021:1608: python-cryptography security, bug fix, and enhancement update (Moderate)	2021-05-18
oval:org.opensuse.security:def:69799	P	Security update for python-cryptography (Important)	2021-03-03
oval:org.opensuse.security:def:99017	P	Security update for python-cryptography (Important)	2021-03-03
oval:org.opensuse.security:def:10409	P	Security update for python-cryptography (Important)	2021-03-03
oval:org.opensuse.security:def:8712	P	Security update for python-cryptography (Important)	2021-03-03
oval:org.opensuse.security:def:92067	P	Security update for python-cryptography (Important)	2021-03-03
oval:org.opensuse.security:def:99807	P	Security update for python-cryptography (Important)	2021-03-03
oval:org.opensuse.security:def:9659	P	Security update for python-cryptography (Important)	2021-03-03
oval:org.opensuse.security:def:92857	P	Security update for python-cryptography (Important)	2021-03-03
oval:org.opensuse.security:def:69998	P	Security update for python-cryptography (Important)	2021-03-03
oval:org.opensuse.security:def:8906	P	Security update for python-cryptography (Important)	2021-03-03
oval:org.opensuse.security:def:92262	P	Security update for python-cryptography (Important)	2021-03-03
oval:org.opensuse.security:def:100119	P	Security update for python-cryptography (Important)	2021-03-03
oval:org.opensuse.security:def:9858	P	Security update for python-cryptography (Important)	2021-03-03
oval:org.opensuse.security:def:93016	P	Security update for python-cryptography (Important)	2021-03-03
oval:org.opensuse.security:def:70355	P	Security update for python-cryptography (Important)	2021-03-03
oval:org.opensuse.security:def:97265	P	Security update for python-cryptography (Important)	2021-03-03
oval:org.opensuse.security:def:9101	P	Security update for python-cryptography (Important)	2021-03-03
oval:org.opensuse.security:def:92459	P	Security update for python-cryptography (Important)	2021-03-03
oval:org.opensuse.security:def:69601	P	Security update for python-cryptography (Important)	2021-03-03
oval:org.opensuse.security:def:10215	P	Security update for python-cryptography (Important)	2021-03-03
oval:org.opensuse.security:def:70549	P	Security update for python-cryptography (Important)	2021-03-03
oval:org.opensuse.security:def:99608	P	Security update for python-cryptography (Important)	2021-03-03
oval:org.opensuse.security:def:9461	P	Security update for python-cryptography (Important)	2021-03-03
oval:org.opensuse.security:def:92658	P	Security update for python-cryptography (Important)	2021-03-03
oval:org.opensuse.security:def:34643	P	Security update for python-cryptography (Important)	2021-03-02
oval:org.opensuse.security:def:30033	P	Security update for python-cryptography (Important)	2021-03-02
oval:org.opensuse.security:def:59598	P	Security update for python-cryptography (Important)	2021-03-02
oval:org.opensuse.security:def:87553	P	Security update for python-cryptography (Important)	2021-03-02
oval:org.opensuse.security:def:54768	P	Security update for python-cryptography (Important)	2021-03-02
oval:org.opensuse.security:def:127226	P	Security update for python-cryptography (Important)	2021-03-02
oval:org.opensuse.security:def:33089	P	Security update for python-cryptography (Important)	2021-03-02
oval:org.opensuse.security:def:88573	P	Security update for python-cryptography (Important)	2021-03-02
oval:org.opensuse.security:def:24028	P	Security update for python-cryptography (Important)	2021-03-02
oval:org.opensuse.security:def:57560	P	Security update for python-cryptography (Important)	2021-03-02
oval:org.opensuse.security:def:85814	P	Security update for python-cryptography (Important)	2021-03-02
oval:org.opensuse.security:def:51171	P	Security update for python-cryptography (Important)	2021-03-02
oval:org.opensuse.security:def:82152	P	Security update for python-cryptography (Important)	2021-03-02
oval:org.opensuse.security:def:31350	P	Security update for python-cryptography (Important)	2021-03-02
oval:org.opensuse.security:def:59856	P	Security update for python-cryptography (Important)	2021-03-02
oval:org.opensuse.security:def:21418	P	Security update for python-cryptography (Important)	2021-03-02
oval:org.opensuse.security:def:55301	P	Security update for python-cryptography (Important)	2021-03-02
oval:org.opensuse.security:def:84276	P	Security update for python-cryptography (Important)	2021-03-02
oval:org.opensuse.security:def:33775	P	Security update for python-cryptography (Important)	2021-03-02
oval:org.opensuse.security:def:89253	P	Security update for python-cryptography (Important)	2021-03-02
oval:org.opensuse.security:def:28945	P	Security update for python-cryptography (Important)	2021-03-02
oval:org.opensuse.security:def:58089	P	Security update for python-cryptography (Important)	2021-03-02
oval:org.opensuse.security:def:86201	P	Security update for python-cryptography (Important)	2021-03-02
oval:org.opensuse.security:def:51740	P	Security update for python-cryptography (Important)	2021-03-02
oval:org.opensuse.security:def:82685	P	Security update for python-cryptography (Important)	2021-03-02
oval:org.opensuse.security:def:125661	P	Security update for python-cryptography (Important)	2021-03-02
oval:org.opensuse.security:def:31737	P	Security update for python-cryptography (Important)	2021-03-02
oval:org.opensuse.security:def:60466	P	Security update for python-cryptography (Important)	2021-03-02
oval:org.opensuse.security:def:88256	P	Security update for python-cryptography (Important)	2021-03-02
oval:org.opensuse.security:def:23183	P	Security update for python-cryptography (Important)	2021-03-02
oval:org.opensuse.security:def:55856	P	Security update for python-cryptography (Important)	2021-03-02
oval:org.opensuse.security:def:34033	P	Security update for python-cryptography (Important)	2021-03-02
oval:org.opensuse.security:def:89511	P	Security update for python-cryptography (Important)	2021-03-02
oval:org.opensuse.security:def:29478	P	Security update for python-cryptography (Important)	2021-03-02
oval:org.opensuse.security:def:58912	P	Security update for python-cryptography (Important)	2021-03-02
oval:org.opensuse.security:def:86730	P	Security update for python-cryptography (Important)	2021-03-02
oval:org.opensuse.security:def:52016	P	Security update for python-cryptography (Important)	2021-03-02
oval:org.opensuse.security:def:83240	P	Security update for python-cryptography (Important)	2021-03-02
oval:org.opensuse.security:def:126829	P	Security update for python-cryptography (Important)	2021-03-02
oval:org.opensuse.security:def:32266	P	Security update for python-cryptography (Important)	2021-03-02
oval:org.opensuse.security:def:23752	P	Security update for python-cryptography (Important)	2021-03-02
oval:org.opensuse.security:def:57173	P	Security update for python-cryptography (Important)	2021-03-02
oval:org.opensuse.security:def:84734	P	Security update for python-cryptography (Important)	2021-03-02
oval:org.opensuse.security:def:81112	P	Security update for python-cryptography (Important)	2021-03-02
oval:org.opensuse.security:def:84275	P	Security update for python-cryptography (Important)	2021-03-01
oval:org.opensuse.security:def:88255	P	Security update for python-cryptography (Important)	2021-03-01
oval:org.opensuse.security:def:84733	P	Security update for python-cryptography (Important)	2021-03-01
oval:org.opensuse.security:def:88572	P	Security update for python-cryptography (Important)	2021-03-01
oval:org.opensuse.security:def:111239	P	Security update for python-cryptography (Important)	2021-02-26
oval:org.opensuse.security:def:109325	P	Security update for python-cryptography (Important)	2021-02-25
oval:org.opensuse.security:def:64655	P	Security update for python-cryptography (Important)	2021-02-25
oval:org.opensuse.security:def:118416	P	Security update for python-cryptography (Important)	2021-02-25
oval:org.opensuse.security:def:100377	P	(Important)	2021-02-25
oval:org.opensuse.security:def:97236	P	Security update for python-cryptography (Important)	2021-02-25
oval:org.opensuse.security:def:68756	P	Security update for python-cryptography (Important)	2021-02-25
oval:org.opensuse.security:def:100711	P	(Important)	2021-02-25
oval:org.opensuse.security:def:73777	P	Security update for python-cryptography (Important)	2021-02-25
oval:org.opensuse.security:def:95946	P	Security update for python-cryptography (Important)	2021-02-25
oval:org.opensuse.security:def:108057	P	Security update for python-cryptography (Important)	2021-02-25
oval:org.opensuse.security:def:76536	P	Security update for python-cryptography (Important)	2021-02-25
oval:org.opensuse.security:def:117571	P	Security update for python-cryptography (Important)	2021-02-25
oval:org.opensuse.security:def:102659	P	Security update for python-cryptography (Important)	2021-02-25

BACK