CPython 3.9 and earlier doesn't disallow configuring an empty list ("[]") for SSLContext.set_npn_protocols() which is an invalid value for the underlying OpenSSL API. This results in a buffer over-read when NPN is used (see CVE-2024-5535 for OpenSSL). This vulnerability is of low severity due to NPN being not widely used and specifying an empty list likely being uncommon in-practice (typically a protocol name would be configured).
CVSS
No CVSS.
References
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: PSF
Published: 2024-06-27T21:05:31.281Z
Updated: 2024-07-01T13:51:32.404Z
Reserved: 2024-06-04T18:40:21.539Z
Link: CVE-2024-5642
JSON object: View
NVD Information
Status : Received
Published: 2024-06-27T21:15:16.070
Modified: 2024-06-27T22:15:10.757
Link: CVE-2024-5642
JSON object: View
Redhat Information
No data.
CWE
No CWE.