216.73.217.176

CVE-2024-5642

· Published 27/06/2024 21:15 · Modified 27/06/2024 22:15

Labels: CVE-2024-5642 2024-06-27CVE-2024-5642[email protected]

Essential information

Published
27/06/2024 21:15
Modified
27/06/2024 22:15
Author
Creator
CISA KEV
No
CWE

Description

CPython 3.9 and earlier doesn't disallow configuring an empty list ("[]") for SSLContext.set_npn_protocols() which is an invalid value for the underlying OpenSSL API. This results in a buffer over-read when NPN is used (see CVE-2024-5535 for OpenSSL). This vulnerability is of low severity due to NPN being not widely used and specifying an empty list likely being uncommon in-practice (typically a protocol name would be configured).

NVD status

Status
Received — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

References