CVE-2023-23931

Exploit

EPSS 0.72%
Veröffentlicht 07.02.2023 21:15:09
Zuletzt bearbeitet 21.11.2024 07:47:07
Quelle security-advisories@github.com
Teams Watchlist Login
Unerledigt Login

cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. In affected versions `Cipher.update_into` would accept Python objects which implement the buffer protocol, but provide only immutable buffers. This would allow immutable objects (such as `bytes`) to be mutated, thus violating fundamental rules of Python and resulting in corrupted output. This now correctly raises an exception. This issue has been present since `update_into` was originally introduced in cryptography 1.8.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 6

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Cryptography.Io ≫ Cryptography SwPlatformpython Version >= 1.8 < 39.0.1

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.72%	0.716

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	6.5	3.9	2.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
security-advisories@github.com	4.8	2.2	2.5	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L

CWE-754 Improper Check for Unusual or Exceptional Conditions

The product does not check or incorrectly checks for unusual or exceptional conditions that are not expected to occur frequently during day to day operation of the product.

https://github.com/pyca/cryptography/pull/8230/commits/94a50a9731f35405f0357fa5f3b177d46a726ab3

Patch

https://github.com/pyca/cryptography/security/advisories/GHSA-w7pp-m8wf-vj6r

Vendor Advisory

Exploit

https://security.netapp.com/advisory/ntap-20230324-0007/

https://nvd.nist.gov/vuln/detail/CVE-2023-23931

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2023-23931

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2023-23931

EUVD