CVE-2023-40217

Name of the Vulnerable Software and Affected Versions Python versions prior to 3.8.18 Python versions 3.9.x prior to 3.9.18 Python versions 3.10.x prior to 3.10.13 Python versions 3.11.x prior to 3.11.5

Description An issue was discovered in Python that primarily affects servers using TLS client authentication. If a TLS server-side socket is created, receives data into the socket buffer, and then is closed quickly, there is a brief window where the SSLSocket instance will detect the socket as "not connected" and won't initiate a handshake, but buffered data will still be readable from the socket buffer. This data will not be authenticated if the server-side TLS peer is expecting client certificate authentication, and is indistinguishable from valid TLS stream data. The vulnerability affects servers, such as HTTP servers, that use TLS client authentication. It does not affect client-side HTTPS connections.

Recommendations Update to Python version 3.8.18 or later for Python 3.8.x Update to Python version 3.9.18 or later for Python 3.9.x Update to Python version 3.10.13 or later for Python 3.10.x Update to Python version 3.11.5 or later for Python 3.11.x As a temporary workaround, consider restricting access to the ssl.SSLSocket class until a patch is available.