Search for vulnerabilities
Vulnerability details: VCID-n9kv-drea-47f2
Vulnerability ID VCID-n9kv-drea-47f2
Aliases CVE-2023-38325
GHSA-cf7p-gm2m-833m
PYSEC-2023-112
Summary The cryptography package before 41.0.2 for Python mishandles SSH certificates that have critical options.
Status Published
Exploitability 0.5
Weighted Severity 8.0
Risk 4.0
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-295 Improper Certificate Validation
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
cvssv3 7.5 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-38325.json
epss 0.00791 https://api.first.org/data/v1/epss?cve=CVE-2023-38325
epss 0.00791 https://api.first.org/data/v1/epss?cve=CVE-2023-38325
epss 0.01069 https://api.first.org/data/v1/epss?cve=CVE-2023-38325
epss 0.01069 https://api.first.org/data/v1/epss?cve=CVE-2023-38325
epss 0.01069 https://api.first.org/data/v1/epss?cve=CVE-2023-38325
epss 0.01069 https://api.first.org/data/v1/epss?cve=CVE-2023-38325
epss 0.01069 https://api.first.org/data/v1/epss?cve=CVE-2023-38325
epss 0.01069 https://api.first.org/data/v1/epss?cve=CVE-2023-38325
epss 0.01069 https://api.first.org/data/v1/epss?cve=CVE-2023-38325
epss 0.01069 https://api.first.org/data/v1/epss?cve=CVE-2023-38325
epss 0.01069 https://api.first.org/data/v1/epss?cve=CVE-2023-38325
epss 0.01069 https://api.first.org/data/v1/epss?cve=CVE-2023-38325
epss 0.01069 https://api.first.org/data/v1/epss?cve=CVE-2023-38325
epss 0.01069 https://api.first.org/data/v1/epss?cve=CVE-2023-38325
epss 0.01069 https://api.first.org/data/v1/epss?cve=CVE-2023-38325
epss 0.01069 https://api.first.org/data/v1/epss?cve=CVE-2023-38325
epss 0.01069 https://api.first.org/data/v1/epss?cve=CVE-2023-38325
epss 0.01069 https://api.first.org/data/v1/epss?cve=CVE-2023-38325
epss 0.01069 https://api.first.org/data/v1/epss?cve=CVE-2023-38325
epss 0.01069 https://api.first.org/data/v1/epss?cve=CVE-2023-38325
epss 0.01069 https://api.first.org/data/v1/epss?cve=CVE-2023-38325
epss 0.01069 https://api.first.org/data/v1/epss?cve=CVE-2023-38325
epss 0.01069 https://api.first.org/data/v1/epss?cve=CVE-2023-38325
epss 0.01069 https://api.first.org/data/v1/epss?cve=CVE-2023-38325
cvssv3.1 6.2 https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1_qr HIGH https://github.com/advisories/GHSA-cf7p-gm2m-833m
cvssv3.1 7.5 https://github.com/pyca/cryptography
generic_textual HIGH https://github.com/pyca/cryptography
cvssv3.1 7.5 https://github.com/pyca/cryptography/commit/1ca7adc97b76a9dfbd3d850628b613eb93b78fc3
generic_textual HIGH https://github.com/pyca/cryptography/commit/1ca7adc97b76a9dfbd3d850628b613eb93b78fc3
cvssv3.1 7.5 https://github.com/pyca/cryptography/compare/41.0.1...41.0.2
generic_textual HIGH https://github.com/pyca/cryptography/compare/41.0.1...41.0.2
ssvc Track https://github.com/pyca/cryptography/compare/41.0.1...41.0.2
cvssv3.1 7.5 https://github.com/pyca/cryptography/issues/9207
generic_textual HIGH https://github.com/pyca/cryptography/issues/9207
ssvc Track https://github.com/pyca/cryptography/issues/9207
cvssv3.1 7.5 https://github.com/pyca/cryptography/pull/7960
generic_textual HIGH https://github.com/pyca/cryptography/pull/7960
cvssv3.1 7.5 https://github.com/pyca/cryptography/pull/9208
generic_textual HIGH https://github.com/pyca/cryptography/pull/9208
ssvc Track https://github.com/pyca/cryptography/pull/9208
cvssv3.1 7.5 https://github.com/pypa/advisory-database/tree/main/vulns/cryptography/PYSEC-2023-112.yaml
generic_textual HIGH https://github.com/pypa/advisory-database/tree/main/vulns/cryptography/PYSEC-2023-112.yaml
cvssv3.1 7.5 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NMCCTYY3CSNQBFFYYC5DAV6KATHWCUZK
generic_textual HIGH https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NMCCTYY3CSNQBFFYYC5DAV6KATHWCUZK
ssvc Track https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NMCCTYY3CSNQBFFYYC5DAV6KATHWCUZK/
cvssv3.1 7.5 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NMCCTYY3CSNQBFFYYC5DAV6KATHWCUZK
generic_textual HIGH https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NMCCTYY3CSNQBFFYYC5DAV6KATHWCUZK
cvssv3.1 7.5 https://nvd.nist.gov/vuln/detail/CVE-2023-38325
generic_textual HIGH https://nvd.nist.gov/vuln/detail/CVE-2023-38325
cvssv3.1 7.5 https://pypi.org/project/cryptography/#history
generic_textual HIGH https://pypi.org/project/cryptography/#history
ssvc Track https://pypi.org/project/cryptography/#history
cvssv3.1 7.5 https://security.netapp.com/advisory/ntap-20230824-0010
generic_textual HIGH https://security.netapp.com/advisory/ntap-20230824-0010
ssvc Track https://security.netapp.com/advisory/ntap-20230824-0010/
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-38325.json
https://api.first.org/data/v1/epss?cve=CVE-2023-38325
https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
https://github.com/pyca/cryptography
https://github.com/pyca/cryptography/commit/1ca7adc97b76a9dfbd3d850628b613eb93b78fc3
https://github.com/pyca/cryptography/compare/41.0.1...41.0.2
https://github.com/pyca/cryptography/issues/9207
https://github.com/pyca/cryptography/pull/7960
https://github.com/pyca/cryptography/pull/9208
https://github.com/pypa/advisory-database/tree/main/vulns/cryptography/PYSEC-2023-112.yaml
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NMCCTYY3CSNQBFFYYC5DAV6KATHWCUZK
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NMCCTYY3CSNQBFFYYC5DAV6KATHWCUZK
https://nvd.nist.gov/vuln/detail/CVE-2023-38325
https://pypi.org/project/cryptography/#history
https://security.netapp.com/advisory/ntap-20230824-0010
2231271 https://bugzilla.redhat.com/show_bug.cgi?id=2231271
cpe:2.3:a:cryptography.io:cryptography:*:*:*:*:*:python:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:cryptography.io:cryptography:*:*:*:*:*:python:*:*
GHSA-cf7p-gm2m-833m https://github.com/advisories/GHSA-cf7p-gm2m-833m
NMCCTYY3CSNQBFFYYC5DAV6KATHWCUZK https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NMCCTYY3CSNQBFFYYC5DAV6KATHWCUZK/
ntap-20230824-0010 https://security.netapp.com/advisory/ntap-20230824-0010/
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-38325.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Found at https://github.com/pyca/cryptography
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Found at https://github.com/pyca/cryptography/commit/1ca7adc97b76a9dfbd3d850628b613eb93b78fc3
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Found at https://github.com/pyca/cryptography/compare/41.0.1...41.0.2
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-30T16:00:20Z/ Found at https://github.com/pyca/cryptography/compare/41.0.1...41.0.2
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Found at https://github.com/pyca/cryptography/issues/9207
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-30T16:00:20Z/ Found at https://github.com/pyca/cryptography/issues/9207
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Found at https://github.com/pyca/cryptography/pull/7960
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Found at https://github.com/pyca/cryptography/pull/9208
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-30T16:00:20Z/ Found at https://github.com/pyca/cryptography/pull/9208
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Found at https://github.com/pypa/advisory-database/tree/main/vulns/cryptography/PYSEC-2023-112.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Found at https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NMCCTYY3CSNQBFFYYC5DAV6KATHWCUZK
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-30T16:00:20Z/ Found at https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NMCCTYY3CSNQBFFYYC5DAV6KATHWCUZK/
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Found at https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NMCCTYY3CSNQBFFYYC5DAV6KATHWCUZK
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2023-38325
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Found at https://pypi.org/project/cryptography/#history
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-30T16:00:20Z/ Found at https://pypi.org/project/cryptography/#history
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Found at https://security.netapp.com/advisory/ntap-20230824-0010
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-30T16:00:20Z/ Found at https://security.netapp.com/advisory/ntap-20230824-0010/
Exploit Prediction Scoring System (EPSS)
Percentile 0.72947
EPSS Score 0.00791
Published At July 30, 2025, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2025-07-31T08:22:47.906952+00:00 Pypa Importer Import https://github.com/pypa/advisory-database/blob/main/vulns/cryptography/PYSEC-2023-112.yaml 37.0.0