CVE-2023-38325
First published: Fri Jul 14 2023(Updated: )
The cryptography package before 41.0.2 for Python mishandles SSH certificates that have critical options.
Credit: cve@mitre.org cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Cryptography Project Cryptography | >=40.0.0<41.0.2 | |
| pip/cryptography | >=40.0.0<41.0.2 | 41.0.2 |
| Cryptography.io Cryptography Python | >=40.0.0<41.0.2 | |
| >=40.0.0<41.0.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://pypi.org/project/cryptography/#history
- https://github.com/pyca/cryptography/compare/41.0.1...41.0.2
- https://github.com/pyca/cryptography/issues/9207
- https://github.com/pyca/cryptography/pull/9208
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NMCCTYY3CSNQBFFYYC5DAV6KATHWCUZK/
- https://security.netapp.com/advisory/ntap-20230824-0010/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NMCCTYY3CSNQBFFYYC5DAV6KATHWCUZK/
- https://nvd.nist.gov/vuln/detail/CVE-2023-38325
- https://github.com/pyca/cryptography/commit/1ca7adc97b76a9dfbd3d850628b613eb93b78fc3
- https://github.com/pyca/cryptography/pull/7960
- https://github.com/pypa/advisory-database/tree/main/vulns/cryptography/PYSEC-2023-112.yaml
- https://github.com/advisories/GHSA-cf7p-gm2m-833m (Advisory)
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NMCCTYY3CSNQBFFYYC5DAV6KATHWCUZK
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NMCCTYY3CSNQBFFYYC5DAV6KATHWCUZK
- https://security.netapp.com/advisory/ntap-20230824-0010
Frequently Asked Questions
What is the vulnerability ID for the cryptography package?
The vulnerability ID for the cryptography package is CVE-2023-38325.
What is the severity level of CVE-2023-38325?
CVE-2023-38325 has a severity level of high, with a value of 7.5.
What does the cryptography package before version 41.0.2 for Python mishandle?
The cryptography package before version 41.0.2 for Python mishandles SSH certificates that have critical options.
Which software versions are affected by CVE-2023-38325?
The software versions affected by CVE-2023-38325 are cryptography package versions between 40.0.0 (inclusive) and 41.0.2 (exclusive).
How can I fix the vulnerability in the cryptography package?
To fix the vulnerability in the cryptography package, update to version 41.0.2 or later.
- collector/nvd-latest
- collector/nvd-index
- agent/type
- agent/first-publish-date
- agent/weakness
- agent/remedy
- agent/severity
- agent/author
- agent/description
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-cf7p-gm2m-833m
- alias/CVE-2023-38325
- agent/references
- agent/last-modified-date
- agent/softwarecombine
- agent/event
- collector/nvd-cve
- collector/github-advisory
- agent/tags
- collector/mitre-cve
- source/MITRE
- vendor/cryptography project
- canonical/cryptography project cryptography
- version/cryptography project cryptography/40.0.0
- vendor/cryptography.io
- canonical/cryptography.io cryptography python
- version/cryptography.io cryptography python/40.0.0
- package-manager/pip