vulnerability
Ubuntu: (CVE-2024-5642): python3.5 vulnerability
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 6 | (AV:N/AC:L/Au:N/C:P/I:N/A:P) | Jun 27, 2024 | Jun 26, 2025 | Jul 1, 2025 |
Severity
6
CVSS
(AV:N/AC:L/Au:N/C:P/I:N/A:P)
Published
Jun 27, 2024
Added
Jun 26, 2025
Modified
Jul 1, 2025
Description
CPython 3.9 and earlier doesn't disallow configuring an empty list ("[]") for SSLContext.set_npn_protocols() which is an invalid value for the underlying OpenSSL API. This results in a buffer over-read when NPN is used (see CVE-2024-5535 for OpenSSL). This vulnerability is of low severity due to NPN being not widely used and specifying an empty list likely being uncommon in-practice (typically a protocol name would be configured).
Solution
no-fix-ubuntu-package
References
- CVE-2024-5642
- https://attackerkb.com/topics/CVE-2024-5642
- URL-http://www.openwall.com/lists/oss-security/2024/06/28/4
- URL-https://github.com/python/cpython/pull/23014
- URL-https://jbp.io/2024/06/27/cve-2024-5535-openssl-memory-safety.html
- URL-https://mail.python.org/archives/list/[email protected]/thread/PLP2JI3PJY33YG6P5BZYSSNU66HASXBQ/
- URL-https://www.cve.org/CVERecord?id=CVE-2024-5642
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.