GHSA-w7pp-m8wf-vj6r
Suggest an improvement- Source
- https://github.com/advisories/GHSA-w7pp-m8wf-vj6r
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/02/GHSA-w7pp-m8wf-vj6r/GHSA-w7pp-m8wf-vj6r.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-w7pp-m8wf-vj6r
- Aliases
- Published
- 2023-02-07T20:54:10Z
- Modified
- 2025-11-05T00:42:17.400725Z
- Severity
-
- 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L CVSS Calculator
- 6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- Cipher.update_into can corrupt memory if passed an immutable python object as the outbuf
- Details
-
Previously,
Cipher.update_intowould accept Python objects which implement the buffer protocol, but provide only immutable buffers:>>> outbuf = b"\x00" * 32 >>> c = ciphers.Cipher(AES(b"\x00" * 32), modes.ECB()).encryptor() >>> c.update_into(b"\x00" * 16, outbuf) 16 >>> outbuf b'\xdc\x95\xc0x\xa2@\x89\x89\xadH\xa2\x14\x92\x84 \x87\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'This would allow immutable objects (such as
bytes) to be mutated, thus violating fundamental rules of Python. This is a soundness bug -- it allows programmers to misuse an API, it cannot be exploited by attacker controlled data alone.This now correctly raises an exception.
This issue has been present since
update_intowas originally introduced in cryptography 1.8. - Database specific
{ "github_reviewed_at": "2023-02-07T20:54:10Z", "nvd_published_at": "2023-02-07T21:15:00Z", "cwe_ids": [ "CWE-754" ], "severity": "MODERATE", "github_reviewed": true }- References
-
- https://github.com/pyca/cryptography/security/advisories/GHSA-w7pp-m8wf-vj6r
- https://nvd.nist.gov/vuln/detail/CVE-2023-23931
- https://github.com/pyca/cryptography/pull/8230
- https://github.com/pyca/cryptography/commit/d6951dca25de45abd52da51b608055371fbcde4e
- https://github.com/pyca/cryptography
- https://github.com/pypa/advisory-database/tree/main/vulns/cryptography/PYSEC-2023-11.yaml
- https://lists.debian.org/debian-lts-announce/2024/10/msg00012.html
- https://security.netapp.com/advisory/ntap-20230324-0007
Affected packages
PyPI / cryptography
Package
- Name
- cryptography
- View open source insights on deps.dev
- Purl
- pkg:pypi/cryptography
Affected versions
1.*
1.8
1.8.1
1.8.2
1.9
2.*
2.0
2.0.1
2.0.2
2.0.3
2.1
2.1.1
2.1.2
2.1.3
2.1.4
2.2
2.2.1
2.2.2
2.3
2.3.1
2.4
2.4.1
2.4.2
2.5
2.6
2.6.1
2.7
2.8
2.9
2.9.1
2.9.2
3.*
3.0
3.1
3.1.1
3.2
3.2.1
3.3
3.3.1
3.3.2
3.4
3.4.1
3.4.2
3.4.3
3.4.4
3.4.5
3.4.6
3.4.7
3.4.8
35.*
35.0.0
36.*
36.0.0
36.0.1
36.0.2
37.*
37.0.0
37.0.1
37.0.2
37.0.3
37.0.4
38.*
38.0.0
38.0.1
38.0.2
38.0.3
38.0.4
39.*
39.0.0