GHSA-79v4-65xg-pq4g · 深刻度: low · エコシステム: pip — Vulnerable OpenSSL included in cryptography wheels
Issue summary: Clients using RFC7250 Raw Public Keys (RPKs) to authenticate a server may fail to notice that the server was not authenticated, because handshakes don't abort as expected when the SSL_VERIFY_PEER verification mode is set. Impact summary: TLS and DTLS connections using raw public keys may be vulnerable to man-in-middle attacks when server authentication failure is not detected by clients. RPKs are disabled by default in both TLS clients and TLS servers. The issue only arises when TLS clients explicitly enable RPK use by the server, and the server, likewise, enables sending of an RPK instead of an X.509 certificate chain. The affected clients are those that then rely on the handshake to fail when the server's RPK fails to match one of the expected public keys, by setting the verification mode to SSL_VERIFY_PEER. Clients that enable server-side raw public keys can still find out that raw public key verification failed by calling SSL_get_verify_result(), and those that do, and take appropriate action, are not affected. This issue was introduced in the initial implementation of RPK support in OpenSSL 3.2. The FIPS modules in 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected by this issue.
総合評価: CVE-2024-12797 は中リスク(55.3/100)。CVSS 深刻度は中。悪用される可能性が高い(EPSS 2.36%、81 パーセンタイル) 根拠: 直近 1 日で EPSS が +1.56% 上昇。悪用への関心が高まっている可能性があります。 推奨対応: 影響資産を整理し、修補計画に組み込んでください。
リスクは変動します。再評価に基づき、本ページの表示内容を更新しています。
EPSS は日次で悪用されやすさの相対度合いを推定します。パーセンタイルは採点済み CVE の中での相対位置(高いほど相対的に深刻)を示します。
| # | 日付 | 旧 EPSS スコア | 新 EPSS スコア | Δ(新 − 旧) |
|---|---|---|---|---|
| 1 | 2026-06-15 | 0.80% | 2.36% | +1.56% |
| 2 | 2026-05-23 | 0.58% | 0.80% | +0.22% |
| 3 | 2026-05-22 | — | 0.58% | — |
EPSS の全履歴 (全 37 件)
この CVE の CVSS 指標。
| ベーススコア | バージョン | 深刻度 | ベクトル | 悪用しやすさ | 影響 | スコアの出典 |
|---|---|---|---|---|---|---|
| 6.3 | 3.1 | MEDIUM |
|
2.8 | 3.4 | 134c704f-9b21-4f2e-91b3-4a467353bcc0 |
GHSA-79v4-65xg-pq4g · 深刻度: low · エコシステム: pip — Vulnerable OpenSSL included in cryptography wheels
| vendor | priority | summary | link |
|---|---|---|---|
alpine
|
— | CVE-2024-12797: 1 source package rows (openssl); 40 state rows across 4 repos (3.20-main, 3.21-main, 3.22-main, edge-main); fixed 4, open 36. | https://security.alpinelinux.org/vuln/CVE-2024-12797 |
debian
|
unimportant | CVE-2024-12797 unimportant priority: Debian including 1 source packages (openssl), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 5. | https://security-tracker.debian.org/tracker/CVE-2024-12797 |
redhat
|
high | — | https://access.redhat.com/security/cve/CVE-2024-12797 |
suse
|
high | CVE-2024-12797 severity important: SUSE including 327 source package names (1.1.0-1.1:libopenssl3-3.2.3-150700.5.5.1, 1.1.0-1.1:openssl-3-3.2.3-150700.5.5.1, …), 794 product×package rows across 120 product lines (Container bci/kiwi, Container private-registry/harbor-core, … (120 product lines)): Known Not Affected 370, Known Affected 231, Fixed 193. | https://www.suse.com/security/cve/CVE-2024-12797/ |
ubuntu
|
high | CVE-2024-12797 high priority: Ubuntu including 4 source packages (edk2, nodejs, openssl, openssl1.0), 33 status rows across 9 suites (bionic, focal, jammy, noble, oracular, plucky, trusty, upstream, xenial): not-affected 22, DNE 5, needs-triage 3, released 3. | https://ubuntu.com/security/CVE-2024-12797 |
| ベンダー | 製品 | バージョン | 生の CPE |
|---|---|---|---|
| データセットに影響を受ける製品はありません。 | |||