SCA: security update for cryptography (GHSA-m959-cc7f-wv43)

medium Tenable Self-Hosted Container Security Plugin ID 439581

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- cryptography is a package designed to expose cryptographic primitives and recipes to Python developers.
Prior to version 46.0.6, DNS name constraints were only validated against SANs within child certificates,
and not the "peer name" presented during each validation. Consequently, cryptography would allow a peer
named bar.example.com to validate against a wildcard leaf certificate for *.example.com, even if the
leaf's parent certificate (or upwards) contained an excluded subtree constraint for bar.example.com. This
issue has been patched in version 46.0.6. (CVE-2026-34073)

Solution

Update the cryptography library and its related packages to version 46.0.6 or later.

See Also

https://github.com/advisories/GHSA-m959-cc7f-wv43

Plugin Details

Severity: Medium

ID: 439581

Version: Revision 1.6

Type: Local

Family: SCA Checks

Published: 4/1/2026

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3.2

Percentile: 51.08

Vendor

Vendor Severity: Low

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 3.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N

CVSS Score Source: CVE-2026-34073

CVSS v3

Risk Factor: Medium

Base Score: 5.3

Temporal Score: 4.6

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS v4

Risk Factor: Medium

Base Score: 6.3

Threat Score: 1.7

Threat Vector: CVSS:4.0/E:U

Vector: CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 3/27/2026

Vulnerability Publication Date: 3/26/2026

Reference Information

CVE: CVE-2026-34073

cwe: CWE-295