Description

CPython 3.9 and earlier doesn't disallow configuring an empty list ("[]") for SSLContext.set_npn_protocols() which is an invalid value for the underlying OpenSSL API. This results in a buffer over-read when NPN is used (see CVE-2024-5535 for OpenSSL). This vulnerability is of low severity due to NPN being not widely used and specifying an empty list likely being uncommon in-practice (typically a protocol name would be configured).

INFO

Published Date :

2024-06-27T21:05:31.281Z

Last Modified :

2026-04-21T20:12:42.468Z

Source :

PSF
AFFECTED PRODUCTS

The following products are affected by CVE-2024-5642 vulnerability.

Vendors Products
Python
  • Cpython
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2024-5642.

URL Resource
http://www.openwall.com/lists/oss-security/2024/06/28/4 cve-icon cve-icon
https://github.com/python/cpython/commit/39258d3595300bc7b952854c915f63ae2d4b9c3e cve-icon cve-icon
https://github.com/python/cpython/commit/a2cdbb6e8188ba9ba8b356b28d91bff60e86fe31 cve-icon cve-icon
https://github.com/python/cpython/issues/121227 cve-icon cve-icon
https://github.com/python/cpython/pull/23014 cve-icon cve-icon
https://jbp.io/2024/06/27/cve-2024-5535-openssl-memory-safety.html cve-icon cve-icon
https://mail.python.org/archives/list/[email protected]/thread/PLP2JI3PJY33YG6P5BZYSSNU66HASXBQ/ cve-icon cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2024-5642 cve-icon
https://security.netapp.com/advisory/ntap-20240726-0005/ cve-icon cve-icon
https://www.cve.org/CVERecord?id=CVE-2024-5642 cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact