{"vulnerability": "CVE-2024-26130", "sightings": [{"uuid": "e884b1b8-d402-49d6-a2b3-789fdb6643ba", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-26130", "type": "seen", "source": "https://t.me/arpsyndicate/4072", "content": "#ExploitObserverAlert\n\nCVE-2024-26130\n\nDESCRIPTION: Exploit Observer has 1 entries in 1 file formats related to CVE-2024-26130. cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Starting in version 38.0.0 and prior to version 42.0.4, if `pkcs12.serialize_key_and_certificates` is called with both a certificate whose public key did not match the provided private key and an `encryption_algorithm` with `hmac_hash` set (via `PrivateFormat.PKCS12.encryption_builder().hmac_hash(...)`, then a NULL pointer dereference would occur, crashing the Python process. This has been resolved in version 42.0.4, the first version in which a `ValueError` is properly raised.", "creation_timestamp": "2024-02-22T22:14:08.000000Z"}, {"uuid": "c97cb7b2-0fc2-4a52-ab71-367ddc49b27a", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-26130", "type": "seen", "source": "https://t.me/ctinow/206502", "content": "https://ift.tt/WyL0VRj\nCVE-2024-26130 | pyca cryptography up to 42.0.3 PrivateFormat.PKCS12.encryption_builder.hmac_hash null pointer dereference", "creation_timestamp": "2024-03-13T09:41:31.000000Z"}, {"uuid": "0fca3e01-9fc4-4f8c-bb91-938421bcb084", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-26130", "type": "seen", "source": "https://t.me/arpsyndicate/4892", "content": "#ExploitObserverAlert\n\nCVE-2024-26130\n\nDESCRIPTION: Exploit Observer has 14 entries in 6 file formats related to CVE-2024-26130. cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Starting in version 38.0.0 and prior to version 42.0.4, if `pkcs12.serialize_key_and_certificates` is called with both a certificate whose public key did not match the provided private key and an `encryption_algorithm` with `hmac_hash` set (via `PrivateFormat.PKCS12.encryption_builder().hmac_hash(...)`, then a NULL pointer dereference would occur, crashing the Python process. This has been resolved in version 42.0.4, the first version in which a `ValueError` is properly raised.\n\nFIRST-EPSS: 0.000450000\nARPS-PRIORITY: 0.7524834", "creation_timestamp": "2024-04-26T05:58:45.000000Z"}, {"uuid": "0f74bc7f-b35f-4db9-b95d-20cad1a50abd", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-26130", "type": "seen", "source": "https://gist.github.com/sruthi-parthasarathi-ai/f233e53a928e386fffc3053e894ba089", "content": "# MB 1.71 CVE Remediation \u2014 Go + Python Action Plan\n\n**Customer context:** Mercedes-Benz's Security Command Center flagged 272 CVEs on the 1.71 canary cluster. This document covers the **Go (23) and Python (26) CVEs only**. The Maven/Spark CVEs (~120) are being handled separately via a cluster config change (disabling Spark 3.4) and are not in scope here.\n\n**Target:** PRs up by EOD Thursday, June 12, ahead of the June 15 MB meeting.\n\n---\n\n## How to read this doc\n\nThis is organized by team, matching the Slack thread. Each section has:\n- The exact version bumps needed\n- Which files to change\n- A brief note on why a particular fix is scoped the way it is\n\nTwo questions come up repeatedly, so the answers are here upfront:\n\n**Why are `py38` lockfiles being skipped for some packages?**\nThree of the packages \u2014 `aiohttp`, `lxml`, and `pillow` \u2014 have CVE fix versions that dropped Python 3.8 support (`aiohttp >= 3.13.3`, `lxml >= 6.1`, `Pillow >= 11.0` all require Python 3.9+). Fixing the py38 lockfiles would require upgrading our Python 3.8 toolchain first, which is out of scope for June 15. The py38 lockfiles will retain a residual CVE for those three packages until a follow-on py38 retirement effort. This is an accepted risk for now.\n\n**Why focus on these packages and not others?**\nThese are the packages the GCP Security Command Center specifically flagged. The remaining CVEs outside this list (e.g., grpcio, protobuf, numpy, docker) are also present but were either (a) not included in the MB-specific SCC report, (b) already fixed in the versions we're running, or (c) identified as requiring a more complex effort that can't land by June 15. The `govulncheck` and `pip-audit` follow-ons at the bottom of this doc will surface those.\n\n---\n\n## Dev Frameworks\n\n### Go: bump the toolchain \u2014 fixes 15 CVEs including 1 CRITICAL\n\nThe Go runtime on 1.71 is `1.25.5`. The CVE fix requires `1.25.11`. The Go version is pinned in **two separate places** and both need to change:\n\n**1. `WORKSPACE`** \u2014 this is the Bazel build-time toolchain, controls all compiled Go binaries:\n```\n# Change this line:\ngo_register_toolchains(\n    version = \"1.25.5\",\n)\n# To:\ngo_register_toolchains(\n    version = \"1.25.11\",\n)\n```\n\n**2. `go.mod` files** \u2014 the `go` directive and `toolchain` directive are separate from the Bazel pin. Files to update:\n\n| File | What to change |\n|---|---|\n| `go.mod` (root) | `go 1.25.5` \u2192 `go 1.25.11` |\n| `internal_apps/apps/apx/go.mod` | `go 1.25.0` \u2192 `go 1.25.11` |\n| `apps_platform/lib/*/go.mod` (8 files) | `toolchain go1.25.8` \u2192 `toolchain go1.25.11` |\n| `apps_platform/platform/*/go.mod` (6 files) | `toolchain go1.25.5` or `go1.25.8` \u2192 `toolchain go1.25.11` |\n\nThere are no breaking changes between 1.25.5 and 1.25.11 \u2014 this is a patch-series security release.\n\n---\n\n### Go: bump `go-jose/v4` \u2014 quick win\n\n| Package | Current | Fix | Where |\n|---|---|---|---|\n| `github.com/go-jose/go-jose/v4` | `v4.1.3` (main go.mod, indirect) | `v4.1.5` | `go.mod` + all `apps_platform/*/go.mod` |\n\nThis is an indirect dependency pulled in through OIDC/OAuth libraries. Fix: `go get github.com/go-jose/go-jose/v4@v4.1.5 && go mod tidy`. No API changes.\n\n---\n\n### Python: lockfile bumps\n\nFor Python fixes, the workflow is: bump the version in the relevant `requirements.txt` input files, then regenerate the compiled lockfiles. The compiled lockfiles (`requirements_compiled_*.txt`) are what actually gets installed \u2014 they need to be regenerated after any input change.\n\n#### `h11` \u2192 `0.16.0` \u2014 **CRITICAL, highest priority Python fix**\n\n`h11` is uvicorn's HTTP/1.1 implementation. CVE-2025-43859 allows HTTP request smuggling via malformed chunked encoding. Services using uvicorn (`web_services/sre/`, model_management autodistill server, `gen_ai/spec_in_the_loop/server/`) are the exposed surface.\n\nLockfiles to regenerate (the `py39` and `py310` lockfiles are already at `0.16.0` \u2014 only these need updating):\n\n| File | Current |\n|---|---|\n| `tools/build/requirements_compiled_py311.txt` | `0.14.0` |\n| `tools/build/requirements_compiled_py311_windows.txt` | `0.14.0` |\n| `tools/build/requirements_compiled_py312.txt` | `0.14.0` |\n| `tools/build/requirements_compiled_py312_windows.txt` | `0.14.0` |\n| `tools/build/requirements_compiled_tools.txt` | `0.14.0` |\n| `dev/containers/ci/requirements_compiled_buildkite.txt` | `0.14.0` |\n| `dev/containers/dev/requirements_compiled_devdocker.txt` | `0.14.0` |\n\nNo API changes. Fastest fix in the entire list.\n\n---\n\n#### `cryptography` \u2192 `44.0.1+`\n\nCVE-2024-26130 / CVE-2024-12797. Used in TLS cert handling, JWT signing, image signing. Most affected path: the cluster cert pipeline (`tools/scripts/minikube/setup/tls.py`, `tools/scripts/sign_images.py`).\n\nThe `buildkite` (`44.0.3`) and `devdocker` (`46.0.5`) containers are already fixed. The following still need updating:\n\n| File | Current |\n|---|---|\n| `tools/build/requirements_compiled_py38.txt` | `43.0.3` |\n| `tools/build/requirements_compiled_py39.txt` | `43.0.3` |\n| `tools/build/requirements_compiled_py310.txt` | `43.0.3` |\n| `tools/build/requirements_compiled_py311.txt` | `43.0.3` |\n| `tools/build/requirements_compiled_py312.txt` | `43.0.3` |\n| `tools/build/requirements_compiled_tools.txt` | `43.0.3` |\n| `dev/containers/genai-dev/requirements_compiled_genai-dev.txt` | `43.0.3` |\n| `adp/services/scenario_post_processor/requirements_compiled_py311.txt` | `43.0.3` |\n| `adp/services/axion_rl/genesis/requirements_compiled_py311.txt` | `43.0.3` |\n| All Windows variants (py38\u2013py312) | `43.0.3` |\n\nNote: `cryptography` has a Rust extension \u2014 make sure the build environment has Cargo. CI containers already do.\n\nNo breaking changes in the 43 \u2192 44 bump for the usages in this codebase.\n\n---\n\n#### `gitpython` \u2192 `3.1.44+`\n\nCVE-2024-22190 (shell injection via malformed git URLs). Used in CI tooling and workbench release scripts \u2014 not in any running cluster service. This is a pure patch release with no API changes, and importantly it **does support py38**, so all lockfiles get the fix (no py38 exception here).\n\nAll 10 lockfiles need updating: `py38`, `py39`, `py310`, `py311`, `py312` (Linux + Windows).\n\n---\n\n#### `aiohttp` \u2192 `3.13.3+` (py39\u2013py312 only)\n\nUsed in `lilypad/images/ray_history_server/`, `tools/gen_ai/crashbot/`, `tools/log_flume/`, and as a transitive dependency via `aioboto3` in the data access layer.\n\n**py38 lockfiles (`requirements_compiled_py38.txt`, `requirements_compiled_py38_windows.txt`) are intentionally skipped** \u2014 `aiohttp >= 3.13.3` requires Python 3.9+, so these files cannot receive the fix without a Python toolchain upgrade.\n\nLockfiles to regenerate: `py39`, `py310`, `py311`, `py312` (Linux + Windows, 8 files) + `dev/containers/genai-dev/requirements_compiled_genai-dev.txt`.\n\n---\n\n#### `pillow` \u2192 `11.0.0+` (py39\u2013py312 only)\n\nUsed in `gen_ai/` Triton inference pipelines, `synthetic_datasets/`, `tools/vehiclesim/`. The `axion_rl/genesis` lockfile is already at `12.1.1` and the `helix hdp_3_11` lockfile is at `11.3.0` \u2014 those are fine.\n\n**py38 lockfiles are intentionally skipped** \u2014 Pillow 11.x dropped Python 3.8 support.\n\nLockfiles to regenerate: `py39`\u2013`py312` (Linux + Windows), `tools` lockfile, `genai-dev`, `helix hdp_3_9`.\n\n---\n\n#### `lxml` \u2192 `6.1+` (py39\u2013py312 only)\n\nUsed in OpenDrive and VTD XML map parsers (`simian/modules/map/opendrive/`, `simian/modules/vtd/vtd_parser.py`), OpenScenario exporter, and map conversion pipeline.\n\n**py38 lockfiles are intentionally skipped** \u2014 lxml 6.x dropped Python 3.8 support.\n\n\u26a0\ufe0f lxml 5.x \u2192 6.x is a major version bump. The XML parser has stricter defaults in 6.0. The OpenDrive and OSC parsers use `lxml.etree` directly \u2014 do a quick test pass to make sure scenario XML and map XML still parse correctly before merging.\n\nLockfiles to regenerate: `py39`\u2013`py312` (Linux + Windows), `tools` lockfile, `helix hdp_3_9` (helix team owns this one), `helix hdp_3_11` (currently at `6.0.2`, still needs bump to `6.1+`).\n\n---\n\n## Cloud Infra (Antonia Adler)\n\n### `azure-core` \u2192 `1.38.0+`\n\nUsed in `adp/lib/secrets/azure_key_vault.py`, `adp/lib/postgres/auth/azure_get_managed_identity_token.py`, and the Azure Blob Storage access layer (`adp/lib/file_access_layer/py/az/`). Particularly relevant for the MB cluster since it uses Azure Managed Identity for Postgres auth.\n\nWhen bumping `azure-core`, check `azure-identity` and `azure-storage-blob` versions in the same lockfiles for compatibility \u2014 they may need to be bumped in tandem.\n\n| File | Current |\n|---|---|\n| `tools/build/requirements_compiled_py39.txt` | `1.28.0` |\n| `tools/build/requirements_compiled_py310.txt` | `1.28.0` |\n| `tools/build/requirements_compiled_py311.txt` | `1.28.0` |\n| `tools/build/requirements_compiled_py312.txt` | `1.36.0` |\n| All Windows variants (py39\u2013py312) | `1.28.0` / `1.36.0` |\n| `dev/containers/ci/requirements_compiled_buildkite.txt` | `1.36.0` |\n| `dev/containers/genai-dev/requirements_compiled_genai-dev.txt` | `1.32.0` |\n\nPure Python library, no compiled extensions. Should be straightforward.\n\n---\n\n### `h11` in infra containers\n\nThe two infra-owned containers also need `h11` updated (listed in the Dev Frameworks section above but owned here):\n- `dev/containers/ci/requirements_compiled_buildkite.txt`\n- `dev/containers/dev/requirements_compiled_devdocker.txt`\n\n---\n\n### `cryptography` in infra-owned lockfiles\n\n- `tools/on_prem/cluster_creation/requirements_compiled_on_prem.txt` \u2014 `43.0.3` \u2192 `44.0.1+`\n- `spectral/dev/containers/dev/requirements_compiled_spectral_devdocker.txt` \u2014 `43.0.3` \u2192 `44.0.1+` (coordinate with Spectral team if they own this container)\n\n---\n\n### Longer-term flag: `docker/docker` (`v25.0.12` \u2192 `v27.x`)\n\n`github.com/docker/docker` is at `v25.0.12+incompatible` in the main `go.mod`. The CVE fix requires `v27.x`, which is a **major API migration** \u2014 not feasible for June 15. Services using the Docker API directly: `sim_orchestrator/worker/executor/`, `sensor_sim_pool/`, `sensor_sim_downloader/`, `scenario_preview/`, `edge_recorder/`. Worth scheduling as a follow-on sprint item.\n\n---\n\n## Sim Execution (Henry Chen / Sahil Goyal / Conor Martin)\n\n### `pgx/v5` \u2192 `v5.7.4+` in `internal_apps/apps/apx/go.mod` \u2014 CRITICAL\n\n`pgx/v5` (the PostgreSQL driver) has a CRITICAL CVE. The main `go.mod` is at `v5.7.2` which is already above the known vulnerable threshold, but `internal_apps/apps/apx/go.mod` is at `v5.6.0` and needs to be bumped.\n\nThe fix is narrow \u2014 just the `apx` go.mod:\n```\n# internal_apps/apps/apx/go.mod\ngithub.com/jackc/pgx/v5 v5.6.0  \u2192  v5.7.4 (or latest v5.7.x)\n```\n\nRun `go mod tidy` in `internal_apps/apps/apx/` after the bump. No API changes within the v5.7.x series.\n\nNote: If `govulncheck` reveals a separate newer advisory affecting the main `go.mod`'s `v5.7.2`, the scope expands \u2014 that would require bumping the root `go.mod` and recompiling all ~110 Postgres-backed services. That's worth confirming before starting (see the \"next steps\" section at the bottom).\n\n---\n\n### `simpleeval` \u2192 `1.0.5+` (via `casbin` in access control)\n\n`simpleeval` is a dependency of `casbin`, which is the policy-based access control library used in `simian/modules/access_control/`. It only appears in py311 and py39 lockfiles (casbin isn't pulled in from other Python version targets).\n\n| File | Current |\n|---|---|\n| `tools/build/requirements_compiled_py311.txt` | `1.0.3` |\n| `tools/build/requirements_compiled_py311_windows.txt` | `1.0.3` |\n| `tools/build/requirements_compiled_py39.txt` | `0.9.12` |\n| `tools/build/requirements_compiled_py39_windows.txt` | `0.9.12` |\n\nExploitability context: the `simpleeval` CVE is an expression injection / code execution issue. In practice, casbin policy rules in this codebase are stored in Postgres and written by engineers \u2014 they're not dynamically constructed from user HTTP input. So the real-world risk is low, but patching removes it from the SCC report. Pure Python, tiny library, no API changes.\n\n---\n\n### `protobuf` in `scenario_post_processor` \u2014 timeline TBD\n\n`adp/services/scenario_post_processor/requirements_compiled_py311.txt` pins `protobuf==3.20.3`, which is very old (the current line is `4.x`/`5.x`). Multiple CVEs are fixed in the `4.x` series. This is a **major version bump** with meaningful API changes \u2014 the protobuf Python API changed significantly between `3.x` and `4.x`. It needs a proper assessment of what scenario_post_processor calls in the protobuf API before committing to a version. Let us know what's realistic timeline-wise and we can scope it separately if it can't land by June 15.\n\n---\n\n## Recommended next steps (not June 15 scope)\n\nOnce the above PRs are merged, two follow-ons will surface and close the remaining CVEs:\n\n1. **`govulncheck -json ./...`** \u2014 run from the repo root in dev docker. This will give exact GHSA IDs for the remaining 6 Go module CVEs (suspected: `golang.org/x/net`, `IBM/sarama`, and potentially a newer `pgx/v5` advisory). Several of the \"remaining 6\" may already be resolved by the Go toolchain bump.\n\n2. **`pip-audit --requirement tools/build/requirements_compiled_py311.txt --format json`** \u2014 this will surface the remaining ~18 Python CVEs not named in the MB report. Likely candidates include `grpcio 1.63.2` (fix: `1.64.1+`, wide distribution across all lockfiles) and `numpy 1.24.4` in py310/py311 lockfiles (fix: `1.26.0+`).\n\n3. **Retire py38 from the build system** \u2014 this unblocks the three packages (`aiohttp`, `lxml`, `pillow`) that couldn't be fully fixed above. Likely a 1-sprint Dev Frameworks project.\n\n---\n\n*Analysis sourced from `applied3` codebase inspection of `go.mod`, `WORKSPACE`, and all `requirements_compiled_*.txt` lockfiles. Go runtime at `1.25.5`, cluster version 1.71.*\n", "creation_timestamp": "2026-06-09T19:20:47.000000Z"}, {"uuid": "5f054ce9-1d55-4411-b58a-c18351538171", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-26130", "type": "seen", "source": "https://t.me/ctinow/189901", "content": "https://ift.tt/5TUHG2t\nCVE-2024-26130", "creation_timestamp": "2024-02-21T18:31:28.000000Z"}, {"uuid": "3f2443e9-cfa6-42f4-9487-2e45d0b0dce8", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-26130", "type": "seen", "source": "https://t.me/ctinow/189915", "content": "https://ift.tt/5TUHG2t\nCVE-2024-26130", "creation_timestamp": "2024-02-21T18:36:21.000000Z"}]}