First published: Tue Feb 07 2023(Updated: )
cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. In affected versions `Cipher.update_into` would accept Python objects which implement the buffer protocol, but provide only immutable buffers. This would allow immutable objects (such as `bytes`) to be mutated, thus violating fundamental rules of Python and resulting in corrupted output. This now correctly raises an exception. This issue has been present since `update_into` was originally introduced in cryptography 1.8.
Credit: security-advisories@github.com security-advisories@github.com security-advisories@github.com
Affected Software | Affected Version | How to fix |
---|---|---|
Cryptography Project Cryptography | >=1.8<39.0.1 | |
debian/python-cryptography | <=2.6.1-3+deb10u2<=3.3.2-1<=38.0.4-3~deb12u1 | 2.6.1-3+deb10u4 38.0.4-3 41.0.7-4 42.0.5-2 |
ubuntu/python-cryptography | <2.8-3ubuntu0.2 | 2.8-3ubuntu0.2 |
ubuntu/python-cryptography | <3.4.8-1ubuntu2.1 | 3.4.8-1ubuntu2.1 |
ubuntu/python-cryptography | <38.0.4-2ubuntu0.1 | 38.0.4-2ubuntu0.1 |
ubuntu/python-cryptography | <39.0.1 | 39.0.1 |
redhat/python-cryptography | <39.0.1 | 39.0.1 |
redhat/cryptography | <39.0.1 | 39.0.1 |
Cryptography.io Cryptography Python | >=1.8<39.0.1 | |
pip/cryptography | >=1.8<39.0.1 | 39.0.1 |
IBM Cognos Analytics | <=12.0.0-12.0.3 | |
IBM Cognos Analytics | <=11.2.0-11.2.4 FP4 |
https://github.com/pyca/cryptography/pull/8230/commits/94a50a9731f35405f0357fa5f3b177d46a726ab3
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2023-23931 is a vulnerability in the cryptography package for Python that allows the use of objects implementing the buffer protocol to update immutable buffers.
CVE-2023-23931 has a severity rating of medium with a CVSS score of 6.5.
The cryptography package for Python versions 1.8 up to and including 39.0.1 is affected by CVE-2023-23931.
To fix CVE-2023-23931, update the cryptography package to version 39.0.1 or higher.
You can find more information about CVE-2023-23931 in the following references: [GitHub Advisory](https://github.com/pyca/cryptography/security/advisories/GHSA-w7pp-m8wf-vj6r), [GitHub Pull Request](https://github.com/pyca/cryptography/pull/8230/commits/94a50a9731f35405f0357fa5f3b177d46a726ab3), [NVD](https://nvd.nist.gov/vuln/detail/CVE-2023-23931).