CVE-2023-23931

CWE-75414 documents9 sources
Severity
6.5MEDIUM
EPSS
0.8%
top 25.87%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Cryptography.io CryptographyPyca Cryptography
Timeline
PublishedFeb 7
Latest updateJan 15

Description

cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. In affected versions `Cipher.update_into` would accept Python objects which implement the buffer protocol, but provide only immutable buffers. This would allow immutable objects (such as `bytes`) to be mutated, thus violating fundamental rules of Python and resulting in corrupted output. This now correctly raises an exception. This issue has been present since `update_into` was originally intr

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:LExploitability: 2.2 | Impact: 2.5

Affected Packages5 packages

Debianpython-cryptography< 3.3.2-1+deb11u1+3
Ubuntupython-cryptography< 2.8-3ubuntu0.2+1
PyPIcryptography1.839.0.1
NVDcryptography.io/cryptography1.839.0.1
CVEListV5pyca/cryptography>=1.8, < 39.0.1

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

5
OSV
python-cryptography vulnerabilities2023-12-06
GHSA
Cipher.update_into can corrupt memory if passed an immutable python object as the outbuf2023-02-07
OSV
Cipher.update_into can corrupt memory if passed an immutable python object as the outbuf2023-02-07
CVEList
Cipher.update_into can corrupt memory in pyca cryptography2023-02-07
OSV
CVE-2023-23931: cryptography is a package designed to expose cryptographic primitives and recipes to Python developers2023-02-07

📋Vendor Advisories

8
Oracle
Oracle Oracle Analytics Risk Matrix: Analytics Server (Cryptography) — CVE-2023-239312024-01-15
Ubuntu
python-cryptography vulnerabilities2023-12-06
Oracle
Oracle Oracle Communications Risk Matrix: Configuration (Cryptography) — CVE-2023-239312023-10-15
Oracle
Oracle Oracle Database Server Risk Matrix: OML4Py (cryptography) — CVE-2023-239312023-07-15
Oracle
Oracle Oracle Communications Risk Matrix: Platform (Cryptography) — CVE-2023-239312023-04-15