CVE-2023-38325
First published: Fri Jul 14 2023(Updated: )
Python Cryptographic Authority cryptography could provide weaker than expected security, caused by an encoding mismatch regarding critical options with OpenSSH. An attacker could exploit this vulnerability to launch further attacks on the system
Credit: cve@mitre.org cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Cryptography Project Cryptography | >=40.0.0<41.0.2 | |
| Cryptography.io Cryptography Python | >=40.0.0<41.0.2 | |
| pip/cryptography | >=40.0.0<41.0.2 | 41.0.2 |
| IBM Cognos Analytics | <=12.0.0-12.0.3 | |
| IBM Cognos Analytics | <=11.2.0-11.2.4 FP4 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://pypi.org/project/cryptography/#history
- https://github.com/pyca/cryptography/compare/41.0.1...41.0.2
- https://github.com/pyca/cryptography/issues/9207
- https://github.com/pyca/cryptography/pull/9208
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NMCCTYY3CSNQBFFYYC5DAV6KATHWCUZK/
- https://security.netapp.com/advisory/ntap-20230824-0010/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NMCCTYY3CSNQBFFYYC5DAV6KATHWCUZK/
- https://nvd.nist.gov/vuln/detail/CVE-2023-38325
- https://github.com/pyca/cryptography/commit/1ca7adc97b76a9dfbd3d850628b613eb93b78fc3
- https://github.com/pyca/cryptography/pull/7960
- https://github.com/pypa/advisory-database/tree/main/vulns/cryptography/PYSEC-2023-112.yaml
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NMCCTYY3CSNQBFFYYC5DAV6KATHWCUZK
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NMCCTYY3CSNQBFFYYC5DAV6KATHWCUZK
- https://security.netapp.com/advisory/ntap-20230824-0010
- https://github.com/advisories/GHSA-cf7p-gm2m-833m (Advisory)
- https://www.ibm.com/support/pages/node/7177223 (Advisory)
Frequently Asked Questions
What is the vulnerability ID for the cryptography package?
The vulnerability ID for the cryptography package is CVE-2023-38325.
What is the severity level of CVE-2023-38325?
CVE-2023-38325 has a severity level of high, with a value of 7.5.
What does the cryptography package before version 41.0.2 for Python mishandle?
The cryptography package before version 41.0.2 for Python mishandles SSH certificates that have critical options.
Which software versions are affected by CVE-2023-38325?
The software versions affected by CVE-2023-38325 are cryptography package versions between 40.0.0 (inclusive) and 41.0.2 (exclusive).
How can I fix the vulnerability in the cryptography package?
To fix the vulnerability in the cryptography package, update to version 41.0.2 or later.
- collector/nvd-latest
- collector/nvd-index
- agent/type
- agent/weakness
- agent/remedy
- agent/severity
- agent/author
- agent/description
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-cf7p-gm2m-833m
- alias/CVE-2023-38325
- agent/references
- agent/softwarecombine
- collector/nvd-cve
- collector/github-advisory
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/tags
- agent/first-publish-date
- agent/event
- collector/ibm-support
- source/IBM
- vendor/cryptography project
- canonical/cryptography project cryptography
- version/cryptography project cryptography/40.0.0
- vendor/cryptography.io
- canonical/cryptography.io cryptography python
- version/cryptography.io cryptography python/40.0.0
- package-manager/pip
- vendor/ibm
- canonical/ibm cognos analytics
- version/ibm cognos analytics/12.0.0-12.0.3
- version/ibm cognos analytics/11.2.0-11.2.4 fp4