{"id":"CVE-2023-23931","summary":"Cipher.update_into can corrupt memory in pyca cryptography","details":"cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. In affected versions `Cipher.update_into` would accept Python objects which implement the buffer protocol, but provide only immutable buffers. This would allow immutable objects (such as `bytes`) to be mutated, thus violating fundamental rules of Python and resulting in corrupted output. This now correctly raises an exception. This issue has been present since `update_into` was originally introduced in cryptography 1.8.","aliases":["GHSA-w7pp-m8wf-vj6r","PYSEC-2023-11"],"modified":"2026-04-16T04:39:36.780695409Z","published":"2023-02-07T20:54:03.628Z","related":["ALSA-2023:6615","ALSA-2023:7096","ALSA-2024:2985","CGA-9xvp-xxj7-3h47","SUSE-SU-2023:0722-1","SUSE-SU-2023:0722-2","SUSE-SU-2023:0737-1","SUSE-SU-2023:0837-1","SUSE-SU-2023:0838-1","SUSE-SU-2023:0839-1","SUSE-SU-2023:1763-1","SUSE-SU-2023:1767-1","SUSE-SU-2023:2144-1","SUSE-SU-2023:2218-1","openSUSE-SU-2024:12681-1","openSUSE-SU-2024:12820-1","openSUSE-SU-2025:14739-1"],"database_specific":{"cna_assigner":"GitHub_M","cwe_ids":["CWE-754"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/23xxx/CVE-2023-23931.json"},"references":[{"type":"WEB","url":"https://github.com/pyca/cryptography/pull/8230/commits/94a50a9731f35405f0357fa5f3b177d46a726ab3"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2024/10/msg00012.html"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2023/23xxx/CVE-2023-23931.json"},{"type":"ADVISORY","url":"https://github.com/pyca/cryptography/security/advisories/GHSA-w7pp-m8wf-vj6r"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2023-23931"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20230324-0007/"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/pyca/cryptography","events":[{"introduced":"928e4ee28564359973298624cf023ae5ea7f62c3"},{"fixed":"d6951dca25de45abd52da51b608055371fbcde4e"}]}],"versions":["1.8","1.9","2.0","2.1","2.2","2.3","2.4","2.4.1","2.5","2.6","2.6.1","2.7","2.8","2.9","3.0","3.1","3.2","3.3","3.4","35.0.0","36.0.0","37.0.0","38.0.0","39.0.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-23931.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L"}]}