CVE-2023-40217

MITRE NVD CVE.ORG Print: PDF PDF

Summary

CVECVE-2023-40217
StatePUBLIC
Assigner[email protected]
Source PriorityCVE Program / NVD first with legacy fallback
Published2023-08-25 01:15:00 UTC
Updated2023-11-07 04:20:00 UTC
DescriptionAn issue was discovered in Python before 3.8.18, 3.9.x before 3.9.18, 3.10.x before 3.10.13, and 3.11.x before 3.11.5. It primarily affects servers (such as HTTP servers) that use TLS client authentication. If a TLS server-side socket is created, receives data into the socket buffer, and then is closed quickly, there is a brief window where the SSLSocket instance will detect the socket as "not connected" and won't initiate a handshake, but buffered data will still be readable from the socket buffer. This data will not be authenticated if the server-side TLS peer is expecting client certificate authentication, and is indistinguishable from valid TLS stream data. Data is limited in size to the amount that will fit in the buffer. (The TLS connection cannot directly be used for data exfiltration because the vulnerable code path requires that the connection be closed on initialization of the SSLSocket.)

Risk And Classification

Problem Types: NVD-CWE-noinfo

NVD Known Affected Configurations (CPE 2.3)

TypeVendorProductVersionUpdateEditionLanguage
Application Python Python All All All All

References

ReferenceSourceLinkTags
Mailman 3 [CVE-2023-40217] Bypass TLS handshake on closed sockets - Security-announce - python.org mail.python.org
Mailman 3 [CVE-2023-40217] Bypass TLS handshake on closed sockets - Security-announce - python.org CONFIRM mail.python.org
[SECURITY] [DLA 3614-1] python3.7 security update MLIST lists.debian.org
Python Security | Python.org MISC www.python.org
CVE-2023-40217 Python Vulnerability in NetApp Products | NetApp Product Security CONFIRM security.netapp.com
[SECURITY] [DLA 3575-1] python2.7 security update MLIST lists.debian.org
CVE Program record CVE.ORG www.cve.org canonical
NVD vulnerability detail NVD nvd.nist.gov canonical, analysis

Legacy QID Mappings

  • 160980 Oracle Enterprise Linux Security Update for python3.11 (ELSA-2023-5463)
  • 160984 Oracle Enterprise Linux Security Update for python3.11 (ELSA-2023-5456)
  • 160987 Oracle Enterprise Linux Security Update for python3.9 (ELSA-2023-5462)
  • 161019 Oracle Enterprise Linux Security Update for python3 (ELSA-2023-5997)
  • 161020 Oracle Enterprise Linux Security Update for python27:2.7 (ELSA-2023-5994)
  • 161024 Oracle Enterprise Linux Security Update for python39:3.9 and python39-devel:3.9 (ELSA-2023-5998)
  • 161053 Oracle Enterprise Linux Security Update for python3 (ELSA-2023-6823)
  • 161054 Oracle Enterprise Linux Security Update for python (ELSA-2023-6885)
  • 199948 Ubuntu Security Notification for Python Vulnerabilities (USN-6513-1)
  • 199954 Ubuntu Security Notification for Python Vulnerability (USN-6513-2)
  • 242109 Red Hat Update for python3.9 (RHSA-2023:5472)
  • 242113 Red Hat Update for python3.9 (RHSA-2023:5462)
  • 242119 Red Hat Update for python3.11 (RHSA-2023:5456)
  • 242121 Red Hat Update for python3.11 (RHSA-2023:5463)
  • 242130 Red Hat Update for python3 (RHSA-2023:5531)
  • 242133 Red Hat Update for python3 (RHSA-2023:5528)
  • 242232 Red Hat Update for python27:2.7 (RHSA-2023:5991)
  • 242233 Red Hat Update for python3 (RHSA-2023:5997)
  • 242235 Red Hat Update for python27:2.7 (RHSA-2023:5993)
  • 242236 Red Hat Update for python3 (RHSA-2023:5995)
  • 242240 Red Hat Update for python27:2.7 (RHSA-2023:5992)
  • 242242 Red Hat Update for python39:3.9 and python39-devel:3.9 (RHSA-2023:6068)
  • 242243 Red Hat Update for python39:3.9 and python39-devel:3.9 (RHSA-2023:6069)
  • 242344 Red Hat Update for rh-python38-python (RHSA-2023:6793)
  • 242350 Red Hat Update for python3 (RHSA-2023:6823)
  • 242360 Red Hat Update for python27:2.7 (RHSA-2023:5994)
  • 242375 Red Hat Update for python27:2.7 (RHSA-2023:5990)
  • 242383 Red Hat Update for python39:3.9 and python39-devel:3.9 (RHSA-2023:5998)
  • 242393 Red Hat Update for python3 (RHSA-2023:5996)
  • 242406 Red Hat Update for python (RHSA-2023:6885)
  • 257264 Centos Security Update for python3
  • 257266 Centos Security Update for python
  • 257286 CentOS Security Update for python3 (CESA-2023:6823)
  • 257289 CentOS Security Update for python (CESA-2023:6885)
  • 296105 Oracle Solaris 11.4 Support Repository Update (SRU) 63.157.1 Missing (CPUOCT2023)
  • 330152 IBM AIX Multiple Vulnerabilities (python_advisory6)
  • 356309 Amazon Linux Security Advisory for python38 : ALASPYTHON3.8-2023-010
  • 356555 Amazon Linux Security Advisory for python27 : ALAS-2023-1876
  • 356568 Amazon Linux Security Advisory for python38 : ALAS2PYTHON3.8-2023-010
  • 356988 Amazon Linux Security Advisory for python27 : AL2012-2023-472
  • 379037 Alibaba Cloud Linux Security Update for python3 (ALINUX2-SA-2023:0047)
  • 379638 Alibaba Cloud Linux Security Update for python3 (ALINUX3-SA-2024:0040)
  • 505927 Alpine Linux Security Update for python3
  • 6000148 Debian Security Update for python2.7 (DLA 3575-1)
  • 6000279 Debian Security Update for python3.7 (DLA 3614-1)
  • 673594 EulerOS Security Update for python (EulerOS-SA-2024-1160)
  • 673601 EulerOS Security Update for python3 (EulerOS-SA-2023-3227)
  • 673789 EulerOS Security Update for python3 (EulerOS-SA-2023-3284)
  • 673950 EulerOS Security Update for python3 (EulerOS-SA-2023-3192)
  • 673956 EulerOS Security Update for python3 (EulerOS-SA-2023-3256)
  • 754890 SUSE Enterprise Linux Security Update for python39 (SUSE-SU-2023:3708-1)
  • 754905 SUSE Enterprise Linux Security Update for python36 (SUSE-SU-2023:3731-1)
  • 754906 SUSE Enterprise Linux Security Update for python (SUSE-SU-2023:3730-1)
  • 754945 SUSE Enterprise Linux Security Update for python3 (SUSE-SU-2023:3804-1)
  • 754962 SUSE Enterprise Linux Security Update for python3 (SUSE-SU-2023:3828-1)
  • 754966 SUSE Enterprise Linux Security Update for python310 (SUSE-SU-2023:3824-1)
  • 755007 SUSE Enterprise Linux Security Update for python (SUSE-SU-2023:3933-1)
  • 755009 SUSE Enterprise Linux Security Update for python3 (SUSE-SU-2023:3939-1)
  • 755025 SUSE Enterprise Linux Security Update for python311 (SUSE-SU-2023:3943-1)
  • 755918 SUSE Enterprise Linux Security Update for python3 (SUSE-SU-2024:0785-1)
  • 755919 SUSE Enterprise Linux Security Update for python39 (SUSE-SU-2024:0784-1)
  • 908072 Common Base Linux Mariner (CBL-Mariner) Security Update for python3 (31170-1)
  • 941279 AlmaLinux Security Update for python3.11 (ALSA-2023:5463)
  • 941282 AlmaLinux Security Update for python3.9 (ALSA-2023:5462)
  • 941285 AlmaLinux Security Update for python3.11 (ALSA-2023:5456)
  • 941324 AlmaLinux Security Update for python3 (ALSA-2023:5997)
  • 941325 AlmaLinux Security Update for python27:2.7 (ALSA-2023:5994)
  • 941327 AlmaLinux Security Update for python39:3.9 and python39-devel:3.9 (ALSA-2023:5998)
  • 961041 Rocky Linux Security Update for python3.11 (RLSA-2023:5463)
  • 961051 Rocky Linux Security Update for python3 (RLSA-2023:5997)
© CVE.report 2026 |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

CVE.report and Source URL Uptime Status status.cve.report