CVE-2018-1000807: PyOpenSSL Use-After-Free vulnerability
(updated )
It was discovered that pyOpenSSL incorrectly handled memory when handling X509 objects. A remote attacker could use this issue to cause pyOpenSSL to crash, resulting in a denial of service, or possibly execute arbitrary code. This attack appears to be exploitable via Depends on the calling application and if it retains a reference to the memory. This vulnerability appears to have been fixed in 17.5.0.
References
- access.redhat.com/errata/RHSA-2019:0085
- github.com/advisories/GHSA-p28m-34f6-967q
- github.com/pyca/pyopenssl
- github.com/pyca/pyopenssl/commit/e73818600065821d588af475b024f4eb518c3509
- github.com/pyca/pyopenssl/pull/723
- github.com/pypa/advisory-database/tree/main/vulns/pyopenssl/PYSEC-2018-23.yaml
- nvd.nist.gov/vuln/detail/CVE-2018-1000807
- usn.ubuntu.com/3813-1
Detect and mitigate CVE-2018-1000807 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →