Is CVE-2023-23931 actively exploited?

CVE-2023-23931 has no public evidence of in-the-wild exploitation as of 2025-11-03.

What is the CVSS score for CVE-2023-23931?

CVE-2023-23931 has a CVSS score of 4.8 (MEDIUM severity). Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L.

How do I patch CVE-2023-23931?

Patch guidance is available from cryptography.io security advisories. CVEDatabase generates AI-assisted remediation guidance on demand for CVE-2023-23931.

Which products are affected by CVE-2023-23931?

1 product: cryptography.io cryptography.

CVE-2023-23931 - remediation guidance & executive summary

Description

cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. In affected versions `Cipher.update_into` would accept Python objects which implement the buffer protocol, but provide only immutable buffers. This would allow immutable objects (such as `bytes`) to be mutated, thus violating fundamental rules of Python and resulting in corrupted output. This now correctly raises an exception. This issue has been present since `update_into` was originally introduced in cryptography 1.8.

CVSS Metrics

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L
Attack Vector: network
Complexity: high
Privileges: none
User Action: none
Scope: unchanged
Confidentiality: none
Integrity: low
Availability: low
Weaknesses: CWE-754

Metadata

Primary Vendor: CRYPTOGRAPHY.IO
Published: 2/7/2023
Last Modified: 11/3/2025
Source: NIST NVD
Note: Verify all details with official vendor sources before applying patches.

Affected Products

cryptography.io : cryptography

Remediation Guidance

Executive Summary

Cite this page

CVE-2023-23931. CVEDatabase.com. Retrieved 1 May 2026. https://cvedatabase.com/cve/CVE-2023-23931

View on NIST NVD

CVE-2023-23931 vulnerability