PyPi: Xknx

CVE-2022-3786

Transitive

Safety vulnerability ID: 52070

This vulnerability was reviewed by experts

The information on this page was manually curated by our Cybersecurity Intelligence Team.

Created at Nov 01, 2022 Updated at Dec 11, 2024
Scan your Python projects for vulnerabilities →

Advisory

Xknx 2.0.0 updates its dependency 'cryptography' to v38.0.3 to include security fixes.

Affected package

xknx

Latest version: 3.4.0

An Asynchronous Library for the KNX protocol. Documentation: https://xknx.io/

Affected versions

Fixed versions

Vulnerability changelog

Interface changes

- Removed `own_address` from `XKNX` class. `ConnectionConfig` `individual_address` can be used to set a source address for routing instead.
If set for a secure tunnelling connection, a tunnel with this IA will be read from the knxkeys file.
- Disable TelegramQueue rate limiting by default.
- Separate discovery multicast group from routing group. Add `multicast_group` and `multicast_port` `ConnectionConfig` parameters.

Connection and Discovery

- Use manually configured IP secure tunnel password over loading it from keyring.
- GatewayScanFilter now also matches secure enabled gateways by default. The `secure` argument as been replaced by `secure_tunnelling` and `secure_routing` arguments. When multiple methods are `True` a gateway is matched if one of them is supported. Non-secure methods don't match if secure is required for that gateway.
- Self description queries more information from Core v2 devices via SearchRequestExtended.

Features

- Add support for python 3.11
- Add methods to Keyring to get interfaces by individual address (host or tunnel).

Internal

- Remove `InterfaceWithUserIdNotFound` and `InvalidSignature` errors in favor of `InvalidSecureConfiguration`.
- Keyring: rename `load_key_ring` to `load_keyring` and make it a coroutine.

Management

- Fix APCI service parsing for 10bit control fileds.
- Set reasonable default count values for APCI classes.
- Set xknx.current_address for routing connections so management frames received over Routing are handled properly.
- Fix wrong length of AuthorizeRequest.
- Raise sane error messages in Management.

Bugfixes

- No mutable default arguments. Fixes unexpected behaviour like GatewayScanner not finding all interfaces.

Resources

Use this package?

Scan your Python project for dependency vulnerabilities in two minutes

Scan your application

Severity Details

CVSS Base Score

HIGH 7.5

CVSS v3 Details

HIGH 7.5
Attack Vector (AV)
NETWORK
Attack Complexity (AC)
LOW
Privileges Required (PR)
NONE
User Interaction (UI)
NONE
Scope (S)
UNCHANGED
Confidentiality Impact (C)
NONE
Integrity Impact (I)
NONE
Availability Availability (A)
HIGH