CVE-2023-23931
Soundness Bug vulnerability in cryptography (PyPI)
What is CVE-2023-23931 About?
A soundness bug exists in `Cipher.update_into` in the cryptography library, where it previously accepted immutable Python buffer objects and mutated them. This violates fundamental Python rules for immutability, creating a logical flaw in how data is handled. While not directly exploitable by attacker-controlled data alone, it represents an API misuse that can lead to unpredictable behavior or data corruption within an application.
Affected Software
Technical Details
Prior to the patch, the Cipher.update_into method in the cryptography library allowed Python objects implementing the buffer protocol to be passed as an output buffer, even if they provided only immutable buffers (e.g., bytes objects). However, update_into would then proceed to write encrypted data into this 'immutable' buffer, effectively mutating an object that Python considers immutable. This is a soundness bug because it breaks the fundamental guarantee of object immutability, leading to an inconsistent state within the Python runtime. While not directly exploitable with just attacker-controlled input, it can lead to unexpected program behavior, data corruption, or difficult-to-debug issues if developers inadvertently pass immutable objects that are then mutated.
What is the Impact of CVE-2023-23931?
Successful exploitation may allow attackers to cause unexpected application behavior, data corruption within the application, or lead to logical errors if data immutability is unexpectedly violated.
What is the Exploitability of CVE-2023-23931?
This vulnerability is classified as a soundness bug, meaning it isn't directly exploitable by attacker-controlled data alone; it requires specific misuse of the API by a developer. Exploitation complexity is high because it relies on a developer making a specific programming error by passing an immutable buffer to Cipher.update_into and then relying on its immutability elsewhere. There are no direct authentication or privilege requirements. It's a local issue within the application's codebase rather than a remote one. The primary risk factor is the internal application logic incorrectly assuming immutability after calling update_into, which could lead to race conditions, unexpected data states, or other logical flaws in complex cryptographic operations.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2023-23931?
Available Upgrade Options
- cryptography
- >1.8, <39.0.1 → Upgrade to 39.0.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://nvd.nist.gov/vuln/detail/CVE-2023-23931
- https://github.com/pypa/advisory-database/tree/main/vulns/cryptography/PYSEC-2023-11.yaml
- https://github.com/pyca/cryptography/security/advisories/GHSA-w7pp-m8wf-vj6r
- https://github.com/pyca/cryptography/commit/d6951dca25de45abd52da51b608055371fbcde4e
- https://security.netapp.com/advisory/ntap-20230324-0007/
- https://github.com/pyca/cryptography/pull/8230/commits/94a50a9731f35405f0357fa5f3b177d46a726ab3
- https://github.com/pyca/cryptography/pull/8230
- https://github.com/pyca/cryptography/security/advisories/GHSA-w7pp-m8wf-vj6r
- https://osv.dev/vulnerability/GHSA-w7pp-m8wf-vj6r
- https://github.com/pyca/cryptography
What are Similar Vulnerabilities to CVE-2023-23931?
Similar Vulnerabilities: CVE-2021-39537 , CVE-2021-23359 , CVE-2020-8012 , CVE-2019-12267 , CVE-2018-1000850
