MCP Server Proto-OKN

mcp-proto-okn
docs
benchmarks

3-securechainkg-openssl-dependencies-vulnerabilities.md•4.94 KiB

# OpenSSL Dependencies Vulnerability Analysis 👤 **User** @securechainkg: Does any software library or package that directly or transitively depend on OpenSSL have a known vulnerability? --- 🧠 **Assistant** ## Yes, Many Software Libraries Depending on OpenSSL Have Known Vulnerabilities Based on my analysis of the SecureChain KG knowledge graph, I found **numerous software libraries and packages that directly or transitively depend on OpenSSL and have known vulnerabilities**. Here's a comprehensive breakdown: ### Direct Dependencies on OpenSSL with Vulnerabilities **Top Affected Packages (by number of unique vulnerabilities):** 1. **matrix-synapse** (PyPI) - 34 unique CVEs across 288 affected versions - A Matrix homeserver implementation with the most vulnerabilities 2. **ffmpeg** (Conan) - 17 unique CVEs across 5 versions - Including CVE-2020-20891, CVE-2021-38090, CVE-2022-1475, and others 3. **neutron** (PyPI) - 9 CVEs across 85 versions - OpenStack networking component 4. **scrapy** (PyPI) - 7 CVEs across 52 versions - Web scraping framework 5. **snowflake-connector-python** (PyPI) - 6 CVEs across 101 versions 6. **whoogle-search** (PyPI) - 6 CVEs across 5 versions **Additional Notable Libraries:** - **cargo** (Cargo) - 5 CVEs including CVE-2022-36113, CVE-2022-36114, CVE-2022-46176, CVE-2023-38497, CVE-2019-16760 - **glance** (PyPI) - 5 CVEs (OpenStack image service) - **hyper** (Cargo) - 4 CVEs (HTTP library) - **mitmproxy** (PyPI) - 4 CVEs - **barbican** (PyPI) - 4 CVEs (OpenStack key management) - **homeassistant** (PyPI) - 3 CVEs across 133 versions - **actix-web** (Cargo) - 3 CVEs - **russh** (Cargo) - 3 CVEs **C/C++ Libraries via Conan:** - **qt** (Conan) - CVE-2022-40983, CVE-2022-43591 - **minizip-ng** (Conan) - CVE-2023-48106, CVE-2023-48107 - **poco** (Conan) - CVE-2023-52389 - **libgit2** (Conan) - CVE-2023-22742 - **libssh2** (Conan) - CVE-2020-22218 - **capnproto** (Conan) - CVE-2022-46149, CVE-2023-48230 - **dcmtk** (Conan) - CVE-2022-43272 ### Transitive Dependencies on OpenSSL with Vulnerabilities Software that depends on packages that depend on OpenSSL also shows vulnerabilities: 1. **nova** (PyPI) - 18 CVEs across 89 versions (OpenStack compute) 2. **keystone** (PyPI) - 11 CVEs across 43 versions (OpenStack identity service) 3. **deno** - 9 CVEs across 62 versions 4. **rusqlite** (Cargo) - 7 CVEs 5. **cinder** (PyPI) - 4 CVEs across 107 versions (OpenStack block storage) 6. **routinator** (Cargo) - 3 CVEs across 52 versions ### Ecosystem Distribution The vulnerabilities span across multiple package ecosystems: - **PyPI** (Python): Majority of packages including matrix-synapse, neutron, scrapy, OpenStack components - **Cargo** (Rust): cargo, hyper, russh, actix-web, openssl crate itself - **Conan** (C/C++): ffmpeg, qt, poco, libgit2 - **GitHub**: Various projects ### Key Findings 1. **Widespread Impact**: At least 50+ distinct software packages with direct OpenSSL dependencies have known vulnerabilities 2. **Multiple Versions Affected**: Some packages like matrix-synapse have hundreds of vulnerable versions 3. **Critical Infrastructure**: Many affected packages are part of critical infrastructure (OpenStack components, web servers, networking tools) 4. **Transitive Risk**: The transitive dependency chain extends the vulnerability surface significantly This demonstrates the significant supply chain security risks associated with OpenSSL dependencies, where vulnerabilities in dependent software can compound the security concerns beyond just OpenSSL itself. --- 👤 **User** Group and count the total number of vulnerabilities by the package ecosystem. Present the results as a table. --- 🧠 **Assistant** ## Vulnerabilities by Package Ecosystem Here's the breakdown of total vulnerabilities in packages that directly depend on OpenSSL, grouped by ecosystem: | Ecosystem | Total Vulnerabilities | Affected Packages | |-----------|----------------------|-------------------| | **PyPI** (Python) | 110 | 31 | | **Cargo** (Rust) | 41 | 24 | | **Conan** (C/C++) | 27 | 8 | | **GitHub** | 3 | 2 | ### Key Insights: 1. **PyPI dominates** with 110 unique vulnerabilities across 31 packages, making Python packages that depend on OpenSSL the most vulnerable ecosystem in this dataset. 2. **Cargo** (Rust ecosystem) has 41 vulnerabilities across 24 packages, showing that despite Rust's memory safety features, packages still have security issues. 3. **Conan** (C/C++) has 27 vulnerabilities but concentrated in just 8 packages, suggesting these packages may have multiple vulnerabilities each. 4. **GitHub** has minimal representation with only 3 vulnerabilities across 2 packages. The data shows that Python's PyPI ecosystem bears the largest security burden among OpenSSL-dependent packages, both in terms of total vulnerabilities and number of affected packages. --- *Created by [mcp-proto-okn](https://github.com/sbl-sdsc/mcp-proto-okn) 0.5.0 on 2026-01-17* **Model**: Claude Sonnet 4.5 (claude-sonnet-4-5-20250929)

Loading blob content...

Latest Blog Posts

Redis vs ioredis vs valkey-glide
By punkpeye on January 26, 2026.
benchmark
Redis
valkey
Quickstart: Publish an MCP Server to the MCP Registry
By punkpeye on January 24, 2026.
mcp
official reference mirror
Official MCP Registry Server.json Requirements
By punkpeye on January 24, 2026.
mcp
official reference mirror

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/sbl-sdsc/mcp-proto-okn'

If you have feedback or need assistance with the MCP directory API, please join our Discord server

3-securechainkg-openssl-dependencies-vulnerabilities.md•4.94 KiB