CVE-2024-5642

Description

CPython 3.9 and earlier doesn't disallow configuring an empty list ("[]") for SSLContext.set_npn_protocols() which is an invalid value for the underlying OpenSSL API. This results in a buffer over-read when NPN is used (see CVE-2024-5535 for OpenSSL). This vulnerability is of low severity due to NPN being not widely used and specifying an empty list likely being uncommon in-practice (typically a protocol name would be configured).

How to fix CVE-2024-5642

To remediate CVE-2024-5642, upgrade the affected package to a fixed version below.

• —upgrade to 3.9.24 or later
• —upgrade to 3.9.24 or later
• —upgrade to 3.9.24 or later
• —no fix listed
• —no fix listed
• —no fix listed

Is CVE-2024-5642 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (6)

• from 0, < 3.9.24
• from 0, < 3.9.24
• from 0, < 3.9.24
• from 0
• from 0
• from 0

CVSS scores

References (10)

• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2024-5642
• WEBgithub.com/python/cpython/commit/39258d3595300bc7b952854c915f63ae2d4b9c3e
• WEBgithub.com/python/cpython/commit/a2cdbb6e8188ba9ba8b356b28d91bff60e86fe31
• WEBgithub.com/python/cpython/issues/121227