Auto import

vulns/cryptography/PYSEC-0000-CVE-2024-26130.yaml

@@ -0,0 +1,44 @@
+id: PYSEC-0000-CVE-2024-26130
+severity:
+- type: CVSS_V3
+  score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
+details: cryptography is a package designed to expose cryptographic primitives and
+  recipes to Python developers. Starting in version 38.0.0 and prior to version 42.0.4,
+  if `pkcs12.serialize_key_and_certificates` is called with both a certificate whose
+  public key did not match the provided private key and an `encryption_algorithm`
+  with `hmac_hash` set (via `PrivateFormat.PKCS12.encryption_builder().hmac_hash(...)`,
+  then a NULL pointer dereference would occur, crashing the Python process. This has
+  been resolved in version 42.0.4, the first version in which a `ValueError` is properly
+  raised.
+affected:
+- package:
+    name: cryptography
+    ecosystem: PyPI
+    purl: pkg:pypi/cryptography
+  ranges:
+  - type: GIT
+    repo: https://github.com/pyca/cryptography
+    events:
+    - introduced: "0"
+    - fixed: 97d231672763cdb5959a3b191e692a362f1b9e55
+    - fixed: 97d231672763cdb5959a3b191e692a362f1b9e55
+  - type: ECOSYSTEM
+    events:
+    - introduced: 38.0.0
+    - fixed: 42.0.4
+references:
+- type: ADVISORY
+  url: https://github.com/pyca/cryptography/security/advisories/GHSA-6vqw-3v5j-54x4
+- type: FIX
+  url: https://github.com/pyca/cryptography/commit/97d231672763cdb5959a3b191e692a362f1b9e55
+- type: FIX
+  url: https://github.com/pyca/cryptography/pull/10423
+- type: REPORT
+  url: https://github.com/pyca/cryptography/pull/10423
+aliases:
+- CVE-2024-26130
+related:
+- GHSA-6vqw-3v5j-54x4
+- GHSA-6vqw-3v5j-54x4
+modified: "2025-02-05T22:09:20Z"
+published: "2024-02-21T17:15:09Z"

vulns/pymatgen/PYSEC-0000-CVE-2024-23346.yaml

@@ -0,0 +1,45 @@
+id: PYSEC-0000-CVE-2024-23346
+severity:
+- type: CVSS_V3
+  score: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
+details: Pymatgen (Python Materials Genomics) is an open-source Python library for
+  materials analysis. A critical security vulnerability exists in the `JonesFaithfulTransformation.from_transformation_str()`
+  method within the `pymatgen` library prior to version 2024.2.20. This method insecurely
+  utilizes `eval()` for processing input, enabling execution of arbitrary code when
+  parsing untrusted input. Version 2024.2.20 fixes this issue.
+affected:
+- package:
+    name: pymatgen
+    ecosystem: PyPI
+    purl: pkg:pypi/pymatgen
+  ranges:
+  - type: GIT
+    repo: https://github.com/materialsproject/pymatgen
+    events:
+    - introduced: "0"
+    - fixed: c231cbd3d5147ee920a37b6ee9dd236b376bcf5a
+    - fixed: c231cbd3d5147ee920a37b6ee9dd236b376bcf5a
+  - type: ECOSYSTEM
+    events:
+    - introduced: "0"
+    - fixed: 2024.2.20
+references:
+- type: ADVISORY
+  url: https://github.com/materialsproject/pymatgen/security/advisories/GHSA-vgv8-5cpj-qj2f
+- type: EVIDENCE
+  url: https://github.com/materialsproject/pymatgen/security/advisories/GHSA-vgv8-5cpj-qj2f
+- type: EVIDENCE
+  url: https://www.vicarius.io/vsociety/posts/critical-security-flaw-in-pymatgen-library-cve-2024-23346
+- type: FIX
+  url: https://github.com/materialsproject/pymatgen/commit/c231cbd3d5147ee920a37b6ee9dd236b376bcf5a
+- type: WEB
+  url: https://github.com/materialsproject/pymatgen/blob/master/pymatgen/symmetry/settings.py#L97C1-L111C108
+- type: WEB
+  url: https://www.vicarius.io/vsociety/posts/critical-security-flaw-in-pymatgen-library-cve-2024-23346
+aliases:
+- CVE-2024-23346
+related:
+- GHSA-vgv8-5cpj-qj2f
+- GHSA-vgv8-5cpj-qj2f
+modified: "2025-02-05T22:10:07Z"
+published: "2024-02-21T17:15:09Z"