First published: Fri Aug 25 2023(Updated: )
Python could allow a remote attacker to bypass security restrictions, caused by a race condition in the SSLSocket module. When the socket is closed before the TLS handshake is complete, the data is treated as if it had been encrypted by TLS. An attacker could exploit this vulnerability to bypass the TLS handshake and inject a malicious client certificate into the connection and gain access to the server’s resources without being authenticated.
Credit: cve@mitre.org cve@mitre.org cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
Python Python | <3.8.18 | |
Python Python | >=3.9.0<3.9.18 | |
Python Python | >=3.10.0<3.10.13 | |
Python Python | >=3.11.0<3.11.5 | |
ubuntu/python2.7 | <2.7.17-1~18.04ubuntu1.13+ | 2.7.17-1~18.04ubuntu1.13+ |
ubuntu/python2.7 | <2.7.6-8ubuntu0.6+ | 2.7.6-8ubuntu0.6+ |
ubuntu/python2.7 | <2.7.12-1ubuntu0~16.04.18+ | 2.7.12-1ubuntu0~16.04.18+ |
ubuntu/python3.10 | <3.10.13-1 | 3.10.13-1 |
ubuntu/python3.10 | <3.10.12-1~22.04.3 | 3.10.12-1~22.04.3 |
ubuntu/python3.11 | <3.11.5-1 | 3.11.5-1 |
ubuntu/python3.11 | <3.11.4-1~23.04.1 | 3.11.4-1~23.04.1 |
ubuntu/python3.12 | <3.12 | 3.12 |
ubuntu/python3.9 | <3.9.18 | 3.9.18 |
ubuntu/python3.5 | <3.5.2-2ubuntu0~16.04.13+ | 3.5.2-2ubuntu0~16.04.13+ |
ubuntu/python3.6 | <3.6.9-1~18.04ubuntu1.13+ | 3.6.9-1~18.04ubuntu1.13+ |
ubuntu/python3.8 | <3.8.10-0ubuntu1~20.04.9 | 3.8.10-0ubuntu1~20.04.9 |
redhat/Python | <3.11.5 | 3.11.5 |
redhat/Python | <3.10.13 | 3.10.13 |
redhat/Python | <3.9.18 | 3.9.18 |
redhat/Python | <3.8.18 | 3.8.18 |
IBM QRadar SIEM | <=7.5 - 7.5.0 UP7 | |
debian/pypy3 | <=7.0.0+dfsg-3<=7.3.5+dfsg-2+deb11u2<=7.3.11+dfsg-2+deb12u1 | 7.3.15+dfsg-1 |
debian/python2.7 | <=2.7.16-2+deb10u1 | 2.7.16-2+deb10u3 2.7.18-8+deb11u1 |
debian/python3.10 | 3.10.13-1 | |
debian/python3.11 | <=3.11.2-6 | 3.11.8-1 3.11.8-3 |
debian/python3.12 | 3.12.2-1 3.12.2-4 | |
debian/python3.7 | <=3.7.3-2+deb10u3 | 3.7.3-2+deb10u6 |
debian/python3.9 | <=3.9.2-1 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2023-40217 is a vulnerability discovered in Python versions before 3.8.18, 3.9.x before 3.9.18, 3.10.x before 3.10.13, and 3.11.x before 3.11.5.
Servers (such as HTTP servers) that use TLS client authentication are primarily affected by CVE-2023-40217.
CVE-2023-40217 has a severity level of 5.3 (medium).
To fix CVE-2023-40217, it is recommended to update Python to versions 3.8.18, 3.9.18, 3.10.13, or 3.11.5.
You can find more information about CVE-2023-40217 on the following references: [Link 1](https://lists.debian.org/debian-lts-announce/2023/09/msg00022.html), [Link 2](https://mail.python.org/archives/list/security-announce@python.org/thread/PEPLII27KYHLF4AK3ZQGKYNCRERG4YXY/), [Link 3](https://www.python.org/dev/security/).