CVE-2024-5642
Improper Input Validation (CWE-20)
Summary
CPython 3.9 and earlier doesn't disallow configuring an empty list ("[]") for SSLContext.set_npn_protocols() which is an invalid value for the underlying OpenSSL API. This results in a buffer over-read when NPN is used (see CVE-2024-5535 for OpenSSL). This vulnerability is of low severity due to NPN being not widely used and specifying an empty list likely being uncommon in-practice (typically a protocol name would be configured).
Impact
The vulnerability can lead to a buffer over-read when NPN (Next Protocol Negotiation) is used. This could potentially result in information disclosure or system instability, although the impact is considered low due to the limited use of NPN and the uncommon nature of the specific configuration that triggers the vulnerability.
Exploitation
There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.
Patch
A patch is available. The vulnerability has been addressed, as indicated by the 'patched' status in the vulnerability data.
Mitigation
1. Update CPython to a version newer than 3.9 if possible. 2. If updating is not immediately feasible, avoid configuring an empty list ("[]") for SSLContext.set_npn_protocols(). 3. Consider disabling NPN if it's not required in your environment. 4. Monitor for any suspicious network activity or system instability that could indicate exploitation attempts.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L
Timeline
NVD published the first details for CVE-2024-5642
Feedly found the first article mentioning CVE-2024-5642. See article
Feedly estimated the CVSS score as HIGH
RedHat CVE advisory released a security advisory (CVE-2024-5642).
A CVSS base score of 2.7 has been assigned.
EPSS Score was set to: 0.05% (Percentile: 15.7%)
Detection for the vulnerability has been added to Qualys (756980)
Detection for the vulnerability has been added to Nessus (206433)
Feedly estimated the CVSS score as MEDIUM