ghsa-w7pp-m8wf-vj6r
Vulnerability from github
6.9 (Medium) - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N
Previously, Cipher.update_into
would accept Python objects which implement the buffer protocol, but provide only immutable buffers:
```pycon
outbuf = b"\x00" * 32 c = ciphers.Cipher(AES(b"\x00" * 32), modes.ECB()).encryptor() c.update_into(b"\x00" * 16, outbuf) 16 outbuf b'\xdc\x95\xc0x\xa2@\x89\x89\xadH\xa2\x14\x92\x84 \x87\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00' ```
This would allow immutable objects (such as bytes
) to be mutated, thus violating fundamental rules of Python. This is a soundness bug -- it allows programmers to misuse an API, it cannot be exploited by attacker controlled data alone.
This now correctly raises an exception.
This issue has been present since update_into
was originally introduced in cryptography 1.8.
{ "affected": [ { "ecosystem_specific": { "affected_functions": [ "cryptography.hazmat.primitives.ciphers.Cipher" ] }, "package": { "ecosystem": "PyPI", "name": "cryptography" }, "ranges": [ { "events": [ { "introduced": "1.8" }, { "fixed": "39.0.1" } ], "type": "ECOSYSTEM" } ] } ], "aliases": [ "CVE-2023-23931" ], "database_specific": { "cwe_ids": [ "CWE-754" ], "github_reviewed": true, "github_reviewed_at": "2023-02-07T20:54:10Z", "nvd_published_at": "2023-02-07T21:15:00Z", "severity": "MODERATE" }, "details": "Previously, `Cipher.update_into` would accept Python objects which implement the buffer protocol, but provide only immutable buffers:\n\n```pycon\n\u003e\u003e\u003e outbuf = b\"\\x00\" * 32\n\u003e\u003e\u003e c = ciphers.Cipher(AES(b\"\\x00\" * 32), modes.ECB()).encryptor()\n\u003e\u003e\u003e c.update_into(b\"\\x00\" * 16, outbuf)\n16\n\u003e\u003e\u003e outbuf\nb\u0027\\xdc\\x95\\xc0x\\xa2@\\x89\\x89\\xadH\\xa2\\x14\\x92\\x84 \\x87\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\u0027\n```\n\nThis would allow immutable objects (such as `bytes`) to be mutated, thus violating fundamental rules of Python. This is a soundness bug -- it allows programmers to misuse an API, it cannot be exploited by attacker controlled data alone.\n\nThis now correctly raises an exception.\n\nThis issue has been present since `update_into` was originally introduced in cryptography 1.8.", "id": "GHSA-w7pp-m8wf-vj6r", "modified": "2024-09-13T20:07:50Z", "published": "2023-02-07T20:54:10Z", "references": [ { "type": "WEB", "url": "https://github.com/pyca/cryptography/security/advisories/GHSA-w7pp-m8wf-vj6r" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-23931" }, { "type": "WEB", "url": "https://github.com/pyca/cryptography/pull/8230" }, { "type": "WEB", "url": "https://github.com/pyca/cryptography/commit/d6951dca25de45abd52da51b608055371fbcde4e" }, { "type": "PACKAGE", "url": "https://github.com/pyca/cryptography" }, { "type": "WEB", "url": "https://github.com/pypa/advisory-database/tree/main/vulns/cryptography/PYSEC-2023-11.yaml" } ], "schema_version": "1.4.0", "severity": [ { "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L", "type": "CVSS_V3" }, { "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N", "type": "CVSS_V4" } ], "summary": "Cipher.update_into can corrupt memory if passed an immutable python object as the outbuf" }
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.