PT-2023-2766 · Pypi+10 · Cryptography+10
Alexp
·
Published
2023-02-07
·
Updated
2025-02-06
·
CVE-2023-23931
CVSS v4.0
6.9
Medium
| Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
cryptography versions 1.8 through the latest version before the fix
Description
The issue is related to the
Cipher.update into function in the cryptography package, which would accept Python objects that implement the buffer protocol but provide only immutable buffers. This could allow immutable objects, such as bytes, to be mutated, violating fundamental rules of Python and resulting in corrupted output. The function now correctly raises an exception. This issue has been present since update into was originally introduced in cryptography 1.8.Recommendations
For cryptography versions 1.8 through the latest version before the fix, update to a version where the
Cipher.update into function correctly raises an exception for immutable buffers. As a temporary workaround, consider avoiding the use of Cipher.update into with immutable objects until a patch is available. Restrict access to the Cipher.update into function to minimize the risk of exploitation. Avoid using immutable objects, such as bytes, with the Cipher.update into function until the issue is resolved.Exploit
Fix
DoS
Improper Check for Exceptional Conditions
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Alt Linux
Almalinux
Astra Linux
Centos
Linuxmint
Red Hat
Red Os
Rocky Linux
Suse
Ubuntu
Cryptography