{
  "threat_severity" : "Low",
  "public_date" : "2024-06-27T00:00:00Z",
  "bugzilla" : {
    "description" : "python: Invalid value for OpenSSL API may cause Buffer over-read when NPN is used",
    "id" : "2294682",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2294682"
  },
  "cvss3" : {
    "cvss3_base_score" : "2.7",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L",
    "status" : "verified"
  },
  "cwe" : "CWE-20",
  "details" : [ "CPython 3.9 and earlier doesn't disallow configuring an empty list (\"[]\") for SSLContext.set_npn_protocols() which is an invalid value for the underlying OpenSSL API. This results in a buffer over-read when NPN is used (see CVE-2024-5535 for OpenSSL). This vulnerability is of low severity due to NPN being not widely used and specifying an empty list likely being uncommon in-practice (typically a protocol name would be configured).", "A vulnerability was found in Python/CPython that does not disallow configuring an empty list (\"[]\") for SSLContext.set_npn_protocols(), which is an invalid value for the underlying OpenSSL API. This issue results in a buffer over-read when NPN is used. See CVE -2024-5535 for OpenSSL for more information." ],
  "statement" : "This vulnerability is rated with a Low severity due to NPN not being widely used and specifying an empty list is likely uncommon in practice. Typically, a protocol name would be configured.",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2025-12-18T00:00:00Z",
    "advisory" : "RHSA-2025:23530",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8",
    "package" : "python39:3.9-8100020251126112422.d47b87a4"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2025-12-18T00:00:00Z",
    "advisory" : "RHSA-2025:23530",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8",
    "package" : "python39-devel:3.9-8100020251126112422.d47b87a4"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2025-12-18T00:00:00Z",
    "advisory" : "RHSA-2025:23342",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "python3.9-0:3.9.25-2.el9_7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2025-12-18T00:00:00Z",
    "advisory" : "RHSA-2025:23342",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "python3.9-0:3.9.25-2.el9_7"
  }, {
    "product_name" : "Red Hat Ceph Storage 8",
    "release_date" : "2026-02-02T00:00:00Z",
    "advisory" : "RHSA-2026:1652",
    "cpe" : "cpe:/a:redhat:ceph_storage:8::el9",
    "package" : "rhceph/rhceph-8-rhel9:sha256:09aaeba975aa74bdf95d63e5619c0cabb1cd9e1410aa34e7f8ecf24a5e291d1a"
  }, {
    "product_name" : "Red Hat Discovery 2",
    "release_date" : "2026-01-08T00:00:00Z",
    "advisory" : "RHSA-2026:0414",
    "cpe" : "cpe:/a:redhat:discovery:2::el9",
    "package" : "discovery/discovery-server-rhel9:sha256:75723049a444b5136e2d40920e2852f0840fecf60832a8bbb06e488fc9bba543"
  }, {
    "product_name" : "Red Hat Discovery 2",
    "release_date" : "2026-01-08T00:00:00Z",
    "advisory" : "RHSA-2026:0414",
    "cpe" : "cpe:/a:redhat:discovery:2::el9",
    "package" : "discovery/discovery-ui-rhel9:sha256:899bd7f941512d54af8ab369ca03028a7d27d05887ccce24bc12c7ccd3e4dbee"
  }, {
    "product_name" : "Red Hat Update Infrastructure 5",
    "release_date" : "2026-01-15T00:00:00Z",
    "advisory" : "RHSA-2026:0685",
    "cpe" : "cpe:/a:redhat:rhui:5::el9",
    "package" : "rhui5/cds-rhel9:sha256:87d268fd03fa0063620a043b43bce078144e06849ca6b83fd0e375c13ecb15be"
  }, {
    "product_name" : "Red Hat Update Infrastructure 5",
    "release_date" : "2026-01-15T00:00:00Z",
    "advisory" : "RHSA-2026:0685",
    "cpe" : "cpe:/a:redhat:rhui:5::el9",
    "package" : "rhui5/haproxy-rhel9:sha256:c0cb48d44556c064626eab0d70e5f427ac132bbd921342dcb862267413bf8d16"
  }, {
    "product_name" : "Red Hat Update Infrastructure 5",
    "release_date" : "2026-01-15T00:00:00Z",
    "advisory" : "RHSA-2026:0685",
    "cpe" : "cpe:/a:redhat:rhui:5::el9",
    "package" : "rhui5/installer-rhel9:sha256:e1d64fbd0e4b90259d9fbb94736ed74c7c384d13067c6bbbb107c664683cb1a9"
  }, {
    "product_name" : "Red Hat Update Infrastructure 5",
    "release_date" : "2026-01-15T00:00:00Z",
    "advisory" : "RHSA-2026:0685",
    "cpe" : "cpe:/a:redhat:rhui:5::el9",
    "package" : "rhui5/rhua-rhel9:sha256:4642951a6a57511f8b481a6481fcd417fc7f3de86511cdab28b9b89639c2bdb2"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Not affected",
    "package_name" : "python3.12",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Out of support scope",
    "package_name" : "python",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Out of support scope",
    "package_name" : "python",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Out of support scope",
    "package_name" : "python3",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Fix deferred",
    "package_name" : "gimp:flatpak/python2",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Fix deferred",
    "package_name" : "inkscape:flatpak/python2",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Fix deferred",
    "package_name" : "python27:2.7/python2",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "python3",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "python3.11",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "python3.12",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "python36:3.6/python36",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Not affected",
    "package_name" : "python3.11",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Not affected",
    "package_name" : "python3.12",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2024-5642\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-5642\nhttps://mail.python.org/archives/list/security-announce@python.org/thread/PLP2JI3PJY33YG6P5BZYSSNU66HASXBQ/" ],
  "name" : "CVE-2024-5642",
  "csaw" : false
}