Safety vulnerability ID: 71684
The information on this page was manually curated by our Cybersecurity Intelligence Team.
The `cryptography` library updates its BoringSSL and OpenSSL dependencies in CI due to a security concern. Specifically, certain non-default TLS server configurations can cause unbounded memory growth when processing TLSv1.3 sessions, leading to a potential Denial of Service (DoS) attack. The issue arises when the `SSL_OP_NO_TICKET` option is used without early data support and default anti-replay protection. Under these conditions, the session cache can become misconfigured, preventing it from flushing properly and causing it to grow indefinitely. A malicious client can exploit this scenario to trigger a DoS attack, although it can also occur accidentally during normal operations. This vulnerability affects only TLS servers supporting TLSv1.3 and does not impact TLS clients. Additionally, the FIPS modules in versions 3.2, 3.1, and 3.0, as well as OpenSSL 1.0.2, are not affected by this issue.
Latest version: 44.0.0
cryptography is a package which provides cryptographic recipes and primitives to Python developers.
This vulnerability has no description
Scan your Python project for dependency vulnerabilities in two minutes
Scan your application