CVE-2018-1000808: Pyopenssl Incorrect Memory Management
(updated )
It was discovered that pyOpenSSL incorrectly handled memory when performing operations on a PKCS #12 store. A remote attacker could possibly use this issue to cause pyOpenSSL to consume resources, resulting in a denial of service.
This attack appear to be exploitable via Depends upon calling application, however it could be as simple as initiating a TLS connection that would cause the calling application to reload certificates from a PKCS #12 store. This vulnerability appears to have been fixed in 17.5.0.
References
- access.redhat.com/errata/RHSA-2019:0085
- github.com/advisories/GHSA-2rcm-phc9-3945
- github.com/pyca/pyopenssl
- github.com/pyca/pyopenssl/commit/e73818600065821d588af475b024f4eb518c3509
- github.com/pyca/pyopenssl/pull/723
- github.com/pypa/advisory-database/tree/main/vulns/pyopenssl/PYSEC-2018-24.yaml
- nvd.nist.gov/vuln/detail/CVE-2018-1000808
- usn.ubuntu.com/3813-1
Detect and mitigate CVE-2018-1000808 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →