CVE-2024-12797
Security issue vulnerability in cryptography (PyPI)
What is CVE-2024-12797 About?
This vulnerability stems from older, vulnerable versions of OpenSSL being statically linked into pyca/cryptography's wheels. It allows for potential security compromises related to OpenSSL's functionalities. Exploitation depends on the nature of the underlying OpenSSL flaw, but users installing pre-built wheels are easily affected.
Affected Software
Technical Details
The pyca/cryptography library packages pre-compiled wheels that contain a statically linked version of OpenSSL. Specific versions of these wheels (42.0.0-44.0.0) incorporate an OpenSSL library with a known security vulnerability. This means any application using these particular cryptography wheels will inherently be vulnerable to the issues present in the embedded OpenSSL version. Users who compile cryptography from source (sdist) are not directly affected by the wheel's bundled OpenSSL, but are responsible for their own OpenSSL version management. The attack vector is indirect, through the cryptography library effectively acting as a carrier for the underlying OpenSSL vulnerability.
What is the Impact of CVE-2024-12797?
Successful exploitation may allow attackers to compromise cryptographic operations, decrypt sensitive communications, or bypass security controls, depending on the specific OpenSSL flaw.
What is the Exploitability of CVE-2024-12797?
Exploitation depends entirely on the specifics of the OpenSSL vulnerability embedded within the cryptography wheels. Generally, it would require interacting with cryptographic functions provided by the library. No direct authentication or high privileges are typically needed for such library-level flaws, but the specific attack vector will be dictated by the OpenSSL issue (e.g., specific protocols, data formats). It's a local vulnerability in the sense that the vulnerable component is part of the application itself, but could be triggered by remote interactions if the application processes external data using the insecure crypto. The primary constraint is that the user must be installing affected pre-built wheels; source installations are not directly affected by this particular packaging issue. The lack of a known exploit currently limits the likelihood of compromise.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2024-12797?
Available Upgrade Options
- cryptography
- >42.0.0, <44.0.1 → Upgrade to 44.0.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://openssl-library.org/news/secadv/20250211.txt
- https://github.com/openssl/openssl/commit/87ebd203feffcf92ad5889df92f90bb0ee10a699
- https://github.com/openssl/openssl/commit/798779d43494549b611233f92652f0da5328fbe7
- https://osv.dev/vulnerability/GHSA-79v4-65xg-pq4g
- https://github.com/openssl/openssl/commit/87ebd203feffcf92ad5889df92f90bb0ee10a699
- http://www.openwall.com/lists/oss-security/2025/02/11/4
- https://openssl-library.org/news/secadv/20250211.txt
- https://nvd.nist.gov/vuln/detail/CVE-2024-12797
- https://github.com/openssl/openssl/commit/798779d43494549b611233f92652f0da5328fbe7
- https://github.com/openssl/openssl/commit/738d4f9fdeaad57660dcba50a619fafced3fd5e9
What are Similar Vulnerabilities to CVE-2024-12797?
Similar Vulnerabilities: CVE-2023-0464 , CVE-2023-0466 , CVE-2023-2848 , CVE-2023-2650 , CVE-2023-3817
