Cipher.update_into can corrupt memory in pyca cryptography
CVE-2023-23931

4.8MEDIUM

Key Information:

Vendor: Pyca
Status: Cryptography
Vendor: CVE Published:; 7 February 2023

What is CVE-2023-23931?

cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. In affected versions Cipher.update_into would accept Python objects which implement the buffer protocol, but provide only immutable buffers. This would allow immutable objects (such as bytes) to be mutated, thus violating fundamental rules of Python and resulting in corrupted output. This now correctly raises an exception. This issue has been present since update_into was originally introduced in cryptography 1.8.

Affected Version(s)

cryptography >=1.8, < 39.0.1

References

https://github.com/pyca/cryptography/security/advisories/...

x_refsource_CONFIRM

https://github.com/pyca/cryptography/pull/8230/commits/94...

x_refsource_MISC

CVSS V3.1

Score:

4.8

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 7, 2023
Vulnerability Reserved
Jan 19, 2023

CVE-2023-23931 Data

JSON

Pyca

What is CVE-2023-23931?

Affected Version(s)

References

CVSS V3.1

Timeline