CVE-2023-23931

Published: Feb 7, 2023Modified: Nov 3, 2025

6.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

Exploitability: 3.9 / Impact: 2.5

Source: NVD

Description

cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. In affected versions `Cipher.update_into` would accept Python objects which implement the buffer protocol, but provide only immutable buffers. This would allow immutable objects (such as `bytes`) to be mutated, thus violating fundamental rules of Python and resulting in corrupted output. This now correctly raises an exception. This issue has been present since `update_into` was originally introduced in cryptography 1.8.

Affected (1)

Products: Cryptography.io: Cryptography

Cryptography.io

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Cryptography.io Cryptography	From 1.8 to 39.0.1

Related CWEs

Improper Check for Unusual or Exceptional Conditions

The product does not check or incorrectly checks for unusual or exceptional conditions that are not expected to occur frequently during day to day operation of the product.

References (6)

https://github.com/pyca/cryptography/pull/8230/commits/94a50a9731f35405f0357fa5f3b177d46a726ab3

Source: security-advisories@github.com

Patch

https://github.com/pyca/cryptography/security/advisories/GHSA-w7pp-m8wf-vj6r

Source: security-advisories@github.com

ExploitVendor Advisory

https://github.com/pyca/cryptography/pull/8230/commits/94a50a9731f35405f0357fa5f3b177d46a726ab3

Source: af854a3a-2127-422b-91ae-364da2661108

Patch

https://github.com/pyca/cryptography/security/advisories/GHSA-w7pp-m8wf-vj6r

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitVendor Advisory

https://lists.debian.org/debian-lts-announce/2024/10/msg00012.html

Source: af854a3a-2127-422b-91ae-364da2661108

https://security.netapp.com/advisory/ntap-20230324-0007/

Source: af854a3a-2127-422b-91ae-364da2661108

Timeline

No history available yet.