Search for vulnerabilities
Vulnerability details: VCID-n26h-8x4z-ufbf
Vulnerability ID VCID-n26h-8x4z-ufbf
Aliases CVE-2023-23931
GHSA-w7pp-m8wf-vj6r
PYSEC-2023-11
Summary cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. In affected versions `Cipher.update_into` would accept Python objects which implement the buffer protocol, but provide only immutable buffers. This would allow immutable objects (such as `bytes`) to be mutated, thus violating fundamental rules of Python and resulting in corrupted output. This now correctly raises an exception. This issue has been present since `update_into` was originally introduced in cryptography 1.8.
Status Published
Exploitability 0.5
Weighted Severity 6.2
Risk 3.1
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-754 Improper Check for Unusual or Exceptional Conditions
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
cvssv3 6.5 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-23931.json
epss 0.00331 https://api.first.org/data/v1/epss?cve=CVE-2023-23931
epss 0.00331 https://api.first.org/data/v1/epss?cve=CVE-2023-23931
epss 0.00341 https://api.first.org/data/v1/epss?cve=CVE-2023-23931
epss 0.00341 https://api.first.org/data/v1/epss?cve=CVE-2023-23931
epss 0.00717 https://api.first.org/data/v1/epss?cve=CVE-2023-23931
epss 0.00717 https://api.first.org/data/v1/epss?cve=CVE-2023-23931
epss 0.00717 https://api.first.org/data/v1/epss?cve=CVE-2023-23931
epss 0.00717 https://api.first.org/data/v1/epss?cve=CVE-2023-23931
epss 0.00717 https://api.first.org/data/v1/epss?cve=CVE-2023-23931
epss 0.00717 https://api.first.org/data/v1/epss?cve=CVE-2023-23931
epss 0.00717 https://api.first.org/data/v1/epss?cve=CVE-2023-23931
epss 0.00717 https://api.first.org/data/v1/epss?cve=CVE-2023-23931
epss 0.00717 https://api.first.org/data/v1/epss?cve=CVE-2023-23931
epss 0.00717 https://api.first.org/data/v1/epss?cve=CVE-2023-23931
epss 0.00717 https://api.first.org/data/v1/epss?cve=CVE-2023-23931
epss 0.00717 https://api.first.org/data/v1/epss?cve=CVE-2023-23931
epss 0.00717 https://api.first.org/data/v1/epss?cve=CVE-2023-23931
epss 0.00737 https://api.first.org/data/v1/epss?cve=CVE-2023-23931
epss 0.00737 https://api.first.org/data/v1/epss?cve=CVE-2023-23931
epss 0.00737 https://api.first.org/data/v1/epss?cve=CVE-2023-23931
epss 0.00737 https://api.first.org/data/v1/epss?cve=CVE-2023-23931
epss 0.00737 https://api.first.org/data/v1/epss?cve=CVE-2023-23931
epss 0.00737 https://api.first.org/data/v1/epss?cve=CVE-2023-23931
epss 0.00737 https://api.first.org/data/v1/epss?cve=CVE-2023-23931
epss 0.00737 https://api.first.org/data/v1/epss?cve=CVE-2023-23931
epss 0.00737 https://api.first.org/data/v1/epss?cve=CVE-2023-23931
epss 0.00737 https://api.first.org/data/v1/epss?cve=CVE-2023-23931
cvssv3.1 4 https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1_qr MODERATE https://github.com/advisories/GHSA-w7pp-m8wf-vj6r
cvssv3.1 6.5 https://github.com/pyca/cryptography
generic_textual MODERATE https://github.com/pyca/cryptography
cvssv3.1 6.5 https://github.com/pyca/cryptography/commit/d6951dca25de45abd52da51b608055371fbcde4e
generic_textual MODERATE https://github.com/pyca/cryptography/commit/d6951dca25de45abd52da51b608055371fbcde4e
cvssv3.1 6.5 https://github.com/pyca/cryptography/pull/8230
generic_textual MODERATE https://github.com/pyca/cryptography/pull/8230
cvssv3.1 4.8 https://github.com/pyca/cryptography/pull/8230/commits/94a50a9731f35405f0357fa5f3b177d46a726ab3
ssvc Track https://github.com/pyca/cryptography/pull/8230/commits/94a50a9731f35405f0357fa5f3b177d46a726ab3
cvssv3.1 4.8 https://github.com/pyca/cryptography/security/advisories/GHSA-w7pp-m8wf-vj6r
cvssv3.1 6.5 https://github.com/pyca/cryptography/security/advisories/GHSA-w7pp-m8wf-vj6r
cvssv3.1_qr MODERATE https://github.com/pyca/cryptography/security/advisories/GHSA-w7pp-m8wf-vj6r
generic_textual MODERATE https://github.com/pyca/cryptography/security/advisories/GHSA-w7pp-m8wf-vj6r
ssvc Track https://github.com/pyca/cryptography/security/advisories/GHSA-w7pp-m8wf-vj6r
cvssv3.1 6.5 https://github.com/pypa/advisory-database/tree/main/vulns/cryptography/PYSEC-2023-11.yaml
generic_textual MODERATE https://github.com/pypa/advisory-database/tree/main/vulns/cryptography/PYSEC-2023-11.yaml
cvssv3.1 6.5 https://nvd.nist.gov/vuln/detail/CVE-2023-23931
generic_textual MODERATE https://nvd.nist.gov/vuln/detail/CVE-2023-23931
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-23931.json
https://api.first.org/data/v1/epss?cve=CVE-2023-23931
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23931
https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
https://github.com/pyca/cryptography
https://github.com/pyca/cryptography/commit/d6951dca25de45abd52da51b608055371fbcde4e
https://github.com/pyca/cryptography/pull/8230
https://github.com/pyca/cryptography/pull/8230/commits/94a50a9731f35405f0357fa5f3b177d46a726ab3
https://github.com/pyca/cryptography/security/advisories/GHSA-w7pp-m8wf-vj6r
https://github.com/pypa/advisory-database/tree/main/vulns/cryptography/PYSEC-2023-11.yaml
https://nvd.nist.gov/vuln/detail/CVE-2023-23931
https://security.netapp.com/advisory/ntap-20230324-0007/
1031049 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1031049
2171817 https://bugzilla.redhat.com/show_bug.cgi?id=2171817
cpe:2.3:a:cryptography.io:cryptography:*:*:*:*:*:python:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:cryptography.io:cryptography:*:*:*:*:*:python:*:*
GHSA-w7pp-m8wf-vj6r https://github.com/advisories/GHSA-w7pp-m8wf-vj6r
RHSA-2023:4693 https://access.redhat.com/errata/RHSA-2023:4693
RHSA-2023:4971 https://access.redhat.com/errata/RHSA-2023:4971
RHSA-2023:6615 https://access.redhat.com/errata/RHSA-2023:6615
RHSA-2023:6793 https://access.redhat.com/errata/RHSA-2023:6793
RHSA-2023:7096 https://access.redhat.com/errata/RHSA-2023:7096
RHSA-2023:7341 https://access.redhat.com/errata/RHSA-2023:7341
RHSA-2024:2985 https://access.redhat.com/errata/RHSA-2024:2985
USN-6539-1 https://usn.ubuntu.com/6539-1/
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-23931.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L Found at https://github.com/pyca/cryptography
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L Found at https://github.com/pyca/cryptography/commit/d6951dca25de45abd52da51b608055371fbcde4e
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L Found at https://github.com/pyca/cryptography/pull/8230
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L Found at https://github.com/pyca/cryptography/pull/8230/commits/94a50a9731f35405f0357fa5f3b177d46a726ab3
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-10T21:01:11Z/ Found at https://github.com/pyca/cryptography/pull/8230/commits/94a50a9731f35405f0357fa5f3b177d46a726ab3
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L Found at https://github.com/pyca/cryptography/security/advisories/GHSA-w7pp-m8wf-vj6r
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L Found at https://github.com/pyca/cryptography/security/advisories/GHSA-w7pp-m8wf-vj6r
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-10T21:01:11Z/ Found at https://github.com/pyca/cryptography/security/advisories/GHSA-w7pp-m8wf-vj6r
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L Found at https://github.com/pypa/advisory-database/tree/main/vulns/cryptography/PYSEC-2023-11.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L Found at https://nvd.nist.gov/vuln/detail/CVE-2023-23931
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.55627
EPSS Score 0.00331
Published At Aug. 1, 2025, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2025-07-31T08:21:44.893544+00:00 Pypa Importer Import https://github.com/pypa/advisory-database/blob/main/vulns/cryptography/PYSEC-2023-11.yaml 37.0.0