Safety vulnerability ID: 53048
The information on this page was manually curated by our Cybersecurity Intelligence Team.
Cryptography 39.0.1 includes a fix for CVE-2023-23931: In affected versions 'Cipher.update_into' would accept Python objects which implement the buffer protocol, but provide only immutable buffers. This would allow immutable objects (such as 'bytes') to be mutated, thus violating fundamental rules of Python and resulting in corrupted output. This issue has been present since 'update_into' was originally introduced in cryptography 1.8.
Latest version: 43.0.3
cryptography is a package which provides cryptographic recipes and primitives to Python developers.
cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. In affected versions `Cipher.update_into` would accept Python objects which implement the buffer protocol, but provide only immutable buffers. This would allow immutable objects (such as `bytes`) to be mutated, thus violating fundamental rules of Python and resulting in corrupted output. This now correctly raises an exception. This issue has been present since `update_into` was originally introduced in cryptography 1.8. See CVE-2023-23931.
MISC:https://github.com/pyca/cryptography/pull/8230/commits/94a50a9731f35405f0357fa5f3b177d46a726ab3: https://github.com/pyca/cryptography/pull/8230/commits/94a50a9731f35405f0357fa5f3b177d46a726ab3
MISC:https://github.com/pyca/cryptography/security/advisories/GHSA-w7pp-m8wf-vj6r: https://github.com/pyca/cryptography/security/advisories/GHSA-w7pp-m8wf-vj6r
Scan your Python project for dependency vulnerabilities in two minutes
Scan your application