Workflow

PyPi: Async-Firebase

CVE-2023-4807

Transitive

Safety vulnerability ID: 65746

This vulnerability was reviewed by experts

The information on this page was manually curated by our Cybersecurity Intelligence Team.

Created at Sep 08, 2023 Updated at Oct 30, 2024
Scan your Python projects for vulnerabilities →

Advisory

Async-firebase version 3.6.2 has updated its cryptography dependency to version 42.0.4 in response to the security vulnerability identified as CVE-2023-4807.

Affected package

async-firebase

Latest version: 3.9.0

Async Firebase Client - a Python asyncio client to interact with Firebase Cloud Messaging in an easy way.

Affected versions

Fixed versions

Vulnerability changelog

* Resolve a couple of security concerns by updating `cryptography` package to `42.0.4`.
* [High] cryptography NULL pointer dereference with pkcs12.serialize_key_and_certificates when called with a non-matching certificate and private key and an hmac_hash override
* [High] Python Cryptography package vulnerable to Bleichenbacher timing oracle attack
* [Moderate] Null pointer dereference in PKCS12 parsing
* [Moderate] cryptography vulnerable to NULL-dereference when loading PKCS7 certificates

Resources

Use this package?

Scan your Python project for dependency vulnerabilities in two minutes

Scan your application

Severity Details

CVSS Base Score

HIGH 7.8

CVSS v3 Details

HIGH 7.8
Attack Vector (AV)
LOCAL
Attack Complexity (AC)
LOW
Privileges Required (PR)
LOW
User Interaction (UI)
NONE
Scope (S)
UNCHANGED
Confidentiality Impact (C)
HIGH
Integrity Impact (I)
HIGH
Availability Availability (A)
HIGH