CVE-2023-23931

Description

cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. In affected versions `Cipher.update_into` would accept Python objects which implement the buffer protocol, but provide only immutable buffers. This would allow immutable objects (such as `bytes`) to be mutated, thus violating fundamental rules of Python and resulting in corrupted output. This now correctly raises an exception. This issue has been present since `update_into` was originally introduced in cryptography 1.8.

How to fix CVE-2023-23931

To remediate CVE-2023-23931, upgrade the affected package to a fixed version below.

• —upgrade to 39.0.1-r0 or later
• —upgrade to 3.3.2-1+deb11u1 or later
• —upgrade to 2.6.1-3+deb10u3 or later
• —upgrade to 2.6.1-3+deb10u4 or later
• —upgrade to 3.3.2-1+deb11u1 or later
• —upgrade to 39.0.1 or later
• —upgrade to 94a50a9731f35405f0357fa5f3b177d46a726ab3 or later

Is CVE-2023-23931 being exploited?

Low — EPSS is 0.7%, meaning exploitation activity has not been observed at scale.

Affected packages (7)

• from 0, < 39.0.1-r0
• from 0, < 3.3.2-1+deb11u1
• from 0, < 2.6.1-3+deb10u3
• from 0, < 2.6.1-3+deb10u4
• from 0, < 3.3.2-1+deb11u1
• >= 1.8, < 39.0.1
• from 0, < 94a50a9731f35405f0357fa5f3b177d46a726ab3 | >= 1.8, < 39.0.1

CVSS scores

References (11)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2023-23931
• ADVISORYsecurity.alpinelinux.org/vuln/CVE-2023-23931
• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2023-23931
• PATCHgithub.com/pyca/cryptography