Your submission was sent successfully! Close

You have successfully unsubscribed! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates about Ubuntu and upcoming events where you can meet our team.Close

CVE-2023-23931

Published: 7 February 2023

cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. In affected versions `Cipher.update_into` would accept Python objects which implement the buffer protocol, but provide only immutable buffers. This would allow immutable objects (such as `bytes`) to be mutated, thus violating fundamental rules of Python and resulting in corrupted output. This now correctly raises an exception. This issue has been present since `update_into` was originally introduced in cryptography 1.8.

Notes

AuthorNote
mdeslaur
Per the upstream advisory: "This is a soundness bug -- it allows
programmers to misuse an API, it cannot be exploited by attacker
controlled data alone."
seth-arnold
Debian's update was incomplete, see 2.6.1-3+deb10u4
ccdm94
as per the advisory, this vulnerability was introduced in version 1.8.

Priority

Low

Cvss 3 Severity Score

6.5

Score breakdown

Status

Package Release Status
python-cryptography
Launchpad, Ubuntu, Debian
kinetic Ignored
(end of life, was needed)
bionic Needed

trusty Ignored
(end of standard support, was not-affected)
upstream
Released (39.0.1)
xenial Not vulnerable
(code not present)
mantic Not vulnerable
(38.0.4-3)
focal
Released (2.8-3ubuntu0.2)
jammy
Released (3.4.8-1ubuntu2.1)
lunar
Released (38.0.4-2ubuntu0.1)
Patches:
upstream: https://github.com/pyca/cryptography/commit/9fbf84efc861668755ab645530ec7be9cf3c6696

Severity score breakdown

Parameter Value
Base score 6.5
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Scope Unchanged
Confidentiality None
Integrity impact Low
Availability impact Low
Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L