CVE-2023-23931

Name
CVE-2023-23931
Description
cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. In affected versions `Cipher.update_into` would accept Python objects which implement the buffer protocol, but provide only immutable buffers. This would allow immutable objects (such as `bytes`) to be mutated, thus violating fundamental rules of Python and resulting in corrupted output. This now correctly raises an exception. This issue has been present since `update_into` was originally introduced in cryptography 1.8.
NVD Severity
medium
Other trackers
Mailing lists
Exploits
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
MISC https://github.com/pyca/cryptography/security/advisories/GHSA-w7pp-m8wf-vj6r
MISC https://github.com/pyca/cryptography/pull/8230/commits/94a50a9731f35405f0357fa5f3b177d46a726ab3

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:cryptography_project:cryptography:*:*:*:*:*:python:*:* py3-cryptography >= 1.8 < 39.0.1

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
py3-cryptography 3.17-community 38.0.3-r1 August Klein <amatcoder@gmail.com> fixed
py3-cryptography 3.14-main 3.3.2-r1 August Klein <amatcoder@gmail.com> possibly vulnerable