CVE-2023-52323
Information Disclosure vulnerability in pycryptodomex (PyPI)
What is CVE-2023-52323 About?
This vulnerability is an Information Disclosure flaw that enables malicious users to read sensitive files on the server. The impact includes unauthorized access to confidential data. Exploitation is likely moderately difficult, depending on the specific mechanism triggering the file read.
Affected Software
- pycryptodomex
- <3.19.1
- pycryptodome
- <3.19.1
Technical Details
The vulnerability allows malicious users to read sensitive files on the server. This typically occurs due to an application processing user-controlled input in a way that leads to arbitrary file access. This could be, for example, through an unchecked input field that is used to construct file paths, allowing for directory traversal techniques (e.g., ../../) or by bypassing access control mechanisms when reading files. The mechanism could also involve a server-side request forgery (SSRF) where an attacker can coerce the server into returning the content of local files, or an XML External Entity (XXE) injection if the application processes XML input insecurely. The core issue is the failure to adequately restrict file access based on user privileges or to sanitize input that dictates file operations.
What is the Impact of CVE-2023-52323?
Successful exploitation may allow attackers to gain unauthorized access to sensitive data, cryptographic keys, configuration files, or other confidential information stored on the server, leading to data breaches or further system compromise.
What is the Exploitability of CVE-2023-52323?
Exploitation complexity varies from moderate to high, depending on the specific attack vector (e.g., path traversal, SSRF, XXE). Authentication requirements depend on whether the vulnerable function is accessible pre-authentication or requires a logged-in user. Privilege requirements are typically those of the application itself, as the vulnerability is used to bypass internal file access controls. It can be remote (e.g., via web request parameters) or local (e.g., via processing a malicious file). Constraints might include the file system structure or the presence of specific parsers. The risk factor increases if the application processes untrusted user input that directly or indirectly influences file operations or paths, or if it has known configurations vulnerable to SSRF/XXE.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2023-52323?
Available Upgrade Options
- pycryptodome
- <3.19.1 → Upgrade to 3.19.1
- pycryptodomex
- <3.19.1 → Upgrade to 3.19.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://pypi.org/project/pycryptodomex/#history
- https://github.com/Legrandin/pycryptodome/blob/master/Changelog.rst
- https://github.com/Legrandin/pycryptodome/commit/0deea1bfe1489e8c80d2053bbb06a1aa0b181ebd
- https://pypi.org/project/pycryptodomex/#history
- https://github.com/pypa/advisory-database/tree/main/vulns/pycryptodomex/PYSEC-2024-3.yaml
- https://pypi.org/project/pycryptodomex/#history
- https://github.com/Legrandin/pycryptodome/blob/master/Changelog.rst
- https://osv.dev/vulnerability/GHSA-j225-cvw7-qrx7
- https://github.com/Legrandin/pycryptodome
- https://nvd.nist.gov/vuln/detail/CVE-2023-52323
What are Similar Vulnerabilities to CVE-2023-52323?
Similar Vulnerabilities: CVE-2023-6831 , CVE-2023-5115 , CVE-2023-45585 , CVE-2023-44406 , CVE-2023-38501
