Fluid Attacks Database

Description

cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. In affected versions Cipher.update_into would accept Python objects which implement the buffer protocol, but provide only immutable buffers. This would allow immutable objects (such as bytes) to be mutated, thus violating fundamental rules of Python and resulting in corrupted output. This now correctly raises an exception. This issue has been present since update_into was originally introduced in cryptography 1.8.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 12	python-cryptography	>=0 <38.0.4-3	38.0.4-3
debian 14	python-cryptography	>=0 <38.0.4-3	38.0.4-3
debian 11	python-cryptography	=3.3.2-1 \|\| >=0 <3.3.2-1+deb11u1	3.3.2-1+deb11u1
debian 13	python-cryptography	>=0 <38.0.4-3	38.0.4-3
pypi	cryptography	>=1.8 <39.0.1	39.0.1
alpine v3.23	py3-cryptography	=0.6.1-r0 \|\| =0.8.2-r0 \|\| =1.0.2-r0 \|\| =1.3.1-r0 \|\| =1.3.2-r0 \|\| =1.4-r0 \|\| =1.4-r1 \|\| =1.4-r2 \|\| =1.5.2-r0 \|\| =1.5.2-r1 \|\| =1.5.3-r0 \|\| =1.7.2-r0 \|\| =1.7.2-r1 \|\| =1.8.1-r0 \|\| =1.8.1-r1 \|\| =1.9-r0 \|\| =2.0.2-r0 \|\| =2.0.3-r0 \|\| =2.0.3-r1 \|\| =2.1.3-r0 \|\| =2.1.4-r0 \|\| =2.1.4-r1 \|\| =2.2.2-r0 \|\| =2.3.1-r0 \|\| =2.3.1-r1 \|\| =2.4.2-r0 \|\| =2.4.2-r1 \|\| =2.4.2-r2 \|\| =2.5-r0 \|\| =2.6.1-r0 \|\| =2.6.1-r1 \|\| =2.7-r0 \|\| =2.7-r1 \|\| =2.8-r0 \|\| =2.8-r1 \|\| =2.9-r0 \|\| =2.9.2-r0 \|\| =3.2.1-r0 \|\| =3.3-r0 \|\| =3.3.1-r0 \|\| =3.3.2-r0 \|\| =3.3.2-r1 \|\| =3.3.2-r2 \|\| =3.3.2-r3 \|\| =3.3.2-r4 \|\| =3.4.8-r0 \|\| =3.4.8-r1 \|\| =37.0.4-r0 \|\| =37.0.4-r1 \|\| =37.0.4-r2 \|\| =38.0.1-r0 \|\| =38.0.2-r0 \|\| =38.0.3-r0 \|\| =38.0.3-r1 \|\| =38.0.4-r0 \|\| =39.0.0-r0 \|\| >=0 <39.0.1-r0	39.0.1-r0
rpm rhel8	python-cryptography	<0:3.2.1-6.el8	0:3.2.1-6.el8
rpm rhel7	python-cryptography	-	-
rpm rhel9	python-cryptography	<0:36.0.1-4.el9	0:36.0.1-4.el9
rpm rhel8	python39	<0:3.9.18-3.module+el8.10.0+21142+453d2b75	0:3.9.18-3.module+el8.10.0+21142+453d2b75

1-10 of 11

Aliases

1. CVE-2023-239312. NVD-2023-239313. OSV-DEBIAN-2023-239314. OSV-2023-239315. OSV-ALPINE-2023-239316. GHSA-w7pp-m8wf-vj6r7. GCVE-2023-239318. SECURITY-TRACKER-CVE-2023-239319. lists.debian.org10. SECURITY-CVE-2023-23931

References

1. https://github.com/pyca/cryptography/security/advisories/GHSA-w7pp-m8wf-vj6r2. https://github.com/pyca/cryptography/pull/82303. https://github.com/pyca/cryptography/commit/d6951dca25de45abd52da51b608055371fbcde4e4. https://github.com/pypa/advisory-database/tree/main/vulns/cryptography/PYSEC-2023-11.yaml5. https://security.netapp.com/advisory/ntap-20230324-0007

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.