CVE-2023-40217 — Authentication Bypass by Primary Weakness in Python
Severity
5.3MEDIUMNVD
OSV7.6OSV7.5OSV6.5
EPSS
0.6%
top 31.06%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedAug 25
Latest updateApr 15
Description
An issue was discovered in Python before 3.8.18, 3.9.x before 3.9.18, 3.10.x before 3.10.13, and 3.11.x before 3.11.5. It primarily affects servers (such as HTTP servers) that use TLS client authentication. If a TLS server-side socket is created, receives data into the socket buffer, and then is closed quickly, there is a brief window where the SSLSocket instance will detect the socket as "not connected" and won't initiate a handshake, but buffered data will still be readable from the socket buf…
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 3.9 | Impact: 1.4
Affected Packages10 packages
🔴Vulnerability Details
6OSV▶
python3.5, python3.6, python3.7, python3.8, python3.9, python3.10, python3.11, python3.12 vulnerabilities↗2024-07-11
📋Vendor Advisories
10Palo Alto
▶
💬Community
1Bugzilla▶
CVE-2023-39325 golang: net/http, x/net/http2: rapid stream resets can cause excessive work (CVE-2023-44487)↗2023-10-11