GHSA-w7pp-m8wf-vj6r
Vulnerability from github
6.9 (Medium) - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N
Previously, Cipher.update_into would accept Python objects which implement the buffer protocol, but provide only immutable buffers:
```pycon
outbuf = b"\x00" * 32 c = ciphers.Cipher(AES(b"\x00" * 32), modes.ECB()).encryptor() c.update_into(b"\x00" * 16, outbuf) 16 outbuf b'\xdc\x95\xc0x\xa2@\x89\x89\xadH\xa2\x14\x92\x84 \x87\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00' ```
This would allow immutable objects (such as bytes) to be mutated, thus violating fundamental rules of Python. This is a soundness bug -- it allows programmers to misuse an API, it cannot be exploited by attacker controlled data alone.
This now correctly raises an exception.
This issue has been present since update_into was originally introduced in cryptography 1.8.
{ affected: [ { package: { ecosystem: "PyPI", name: "cryptography", }, ranges: [ { events: [ { introduced: "1.8", }, { fixed: "39.0.1", }, ], type: "ECOSYSTEM", }, ], }, ], aliases: [ "CVE-2023-23931", ], database_specific: { cwe_ids: [ "CWE-754", ], github_reviewed: true, github_reviewed_at: "2023-02-07T20:54:10Z", nvd_published_at: "2023-02-07T21:15:00Z", severity: "MODERATE", }, details: "Previously, `Cipher.update_into` would accept Python objects which implement the buffer protocol, but provide only immutable buffers:\n\n```pycon\n>>> outbuf = b\"\\x00\" * 32\n>>> c = ciphers.Cipher(AES(b\"\\x00\" * 32), modes.ECB()).encryptor()\n>>> c.update_into(b\"\\x00\" * 16, outbuf)\n16\n>>> outbuf\nb'\\xdc\\x95\\xc0x\\xa2@\\x89\\x89\\xadH\\xa2\\x14\\x92\\x84 \\x87\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00'\n```\n\nThis would allow immutable objects (such as `bytes`) to be mutated, thus violating fundamental rules of Python. This is a soundness bug -- it allows programmers to misuse an API, it cannot be exploited by attacker controlled data alone.\n\nThis now correctly raises an exception.\n\nThis issue has been present since `update_into` was originally introduced in cryptography 1.8.", id: "GHSA-w7pp-m8wf-vj6r", modified: "2024-09-13T20:07:50Z", published: "2023-02-07T20:54:10Z", references: [ { type: "WEB", url: "https://github.com/pyca/cryptography/security/advisories/GHSA-w7pp-m8wf-vj6r", }, { type: "ADVISORY", url: "https://nvd.nist.gov/vuln/detail/CVE-2023-23931", }, { type: "WEB", url: "https://github.com/pyca/cryptography/pull/8230", }, { type: "WEB", url: "https://github.com/pyca/cryptography/commit/d6951dca25de45abd52da51b608055371fbcde4e", }, { type: "PACKAGE", url: "https://github.com/pyca/cryptography", }, { type: "WEB", url: "https://github.com/pypa/advisory-database/tree/main/vulns/cryptography/PYSEC-2023-11.yaml", }, ], schema_version: "1.4.0", severity: [ { score: "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L", type: "CVSS_V3", }, { score: "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N", type: "CVSS_V4", }, ], summary: "Cipher.update_into can corrupt memory if passed an immutable python object as the outbuf", }
Log in or create an account to share your comment.
This schema specifies the format of a comment related to a security advisory.
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.