CPython 3.9+ SSLContext.set_npn_protocols Empty List Buffer Over-Read
CVE-2024-5642 Published on June 27, 2024
Buffer overread when using an empty list with SSLContext.set_npn_protocols()
CPython 3.9 and earlier doesn't disallow configuring an empty list ("[]") for SSLContext.set_npn_protocols() which is an invalid value for the underlying OpenSSL API. This results in a buffer over-read when NPN is used (see CVE-2024-5535 for OpenSSL). This vulnerability is of low severity due to NPN being not widely used and specifying an empty list likely being uncommon in-practice (typically a protocol name would be configured).
Vulnerability Analysis
CVE-2024-5642 is exploitable with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality, a small impact on integrity, and a small impact on availability.
Products Associated with CVE-2024-5642
Want to know whenever a new CVE is published for Python? stack.watch will email you.
Affected Versions
Python Software Foundation CPython:- Before 3.9.24 is affected.
- Version 3.10.0a1 and below 3.10.0b1 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.