{"api_version":"1","generated_at":"2026-04-19T08:16:20+00:00","cve":"CVE-2023-40217","urls":{"html":"https://cve.report/CVE-2023-40217","api":"https://cve.report/api/cve/CVE-2023-40217.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2023-40217","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2023-40217"},"summary":{"title":"CVE-2023-40217","description":"An issue was discovered in Python before 3.8.18, 3.9.x before 3.9.18, 3.10.x before 3.10.13, and 3.11.x before 3.11.5. It primarily affects servers (such as HTTP servers) that use TLS client authentication. If a TLS server-side socket is created, receives data into the socket buffer, and then is closed quickly, there is a brief window where the SSLSocket instance will detect the socket as \"not connected\" and won't initiate a handshake, but buffered data will still be readable from the socket buffer. This data will not be authenticated if the server-side TLS peer is expecting client certificate authentication, and is indistinguishable from valid TLS stream data. Data is limited in size to the amount that will fit in the buffer. (The TLS connection cannot directly be used for data exfiltration because the vulnerable code path requires that the connection be closed on initialization of the SSLSocket.)","state":"PUBLIC","assigner":"cve@mitre.org","published_at":"2023-08-25 01:15:00","updated_at":"2023-11-07 04:20:00"},"problem_types":["NVD-CWE-noinfo"],"metrics":[],"references":[{"url":"https://mail.python.org/archives/list/security-announce%40python.org/thread/PEPLII27KYHLF4AK3ZQGKYNCRERG4YXY/","name":"https://mail.python.org/archives/list/security-announce%40python.org/thread/PEPLII27KYHLF4AK3ZQGKYNCRERG4YXY/","refsource":"","tags":[],"title":"Mailman 3 \n[CVE-2023-40217] Bypass TLS handshake on closed sockets - Security-announce - python.org","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://mail.python.org/archives/list/security-announce@python.org/thread/PEPLII27KYHLF4AK3ZQGKYNCRERG4YXY/","name":"https://mail.python.org/archives/list/security-announce@python.org/thread/PEPLII27KYHLF4AK3ZQGKYNCRERG4YXY/","refsource":"CONFIRM","tags":[],"title":"Mailman 3 \n[CVE-2023-40217] Bypass TLS handshake on closed sockets - Security-announce - python.org","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.debian.org/debian-lts-announce/2023/10/msg00017.html","name":"[debian-lts-announce] 20231011 [SECURITY] [DLA 3614-1] python3.7 security update","refsource":"MLIST","tags":[],"title":"[SECURITY] [DLA 3614-1] python3.7 security update","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.python.org/dev/security/","name":"https://www.python.org/dev/security/","refsource":"MISC","tags":[],"title":"Python Security | Python.org","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://security.netapp.com/advisory/ntap-20231006-0014/","name":"https://security.netapp.com/advisory/ntap-20231006-0014/","refsource":"CONFIRM","tags":[],"title":"CVE-2023-40217 Python Vulnerability in NetApp Products | NetApp Product Security","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.debian.org/debian-lts-announce/2023/09/msg00022.html","name":"[debian-lts-announce] 20230920 [SECURITY] [DLA 3575-1] python2.7 security update","refsource":"MLIST","tags":[],"title":"[SECURITY] [DLA 3575-1] python2.7 security update","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.cve.org/CVERecord?id=CVE-2023-40217","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-40217","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2023","cve_id":"40217","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"python","cpe5":"python","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2023-40217","qid":"160980","title":"Oracle Enterprise Linux Security Update for python3.11 (ELSA-2023-5463)"},{"cve":"CVE-2023-40217","qid":"160984","title":"Oracle Enterprise Linux Security Update for python3.11 (ELSA-2023-5456)"},{"cve":"CVE-2023-40217","qid":"160987","title":"Oracle Enterprise Linux Security Update for python3.9 (ELSA-2023-5462)"},{"cve":"CVE-2023-40217","qid":"161019","title":"Oracle Enterprise Linux Security Update for python3 (ELSA-2023-5997)"},{"cve":"CVE-2023-40217","qid":"161020","title":"Oracle Enterprise Linux Security Update for python27:2.7 (ELSA-2023-5994)"},{"cve":"CVE-2023-40217","qid":"161024","title":"Oracle Enterprise Linux Security Update for python39:3.9 and python39-devel:3.9 (ELSA-2023-5998)"},{"cve":"CVE-2023-40217","qid":"161053","title":"Oracle Enterprise Linux Security Update for python3 (ELSA-2023-6823)"},{"cve":"CVE-2023-40217","qid":"161054","title":"Oracle Enterprise Linux Security Update for python (ELSA-2023-6885)"},{"cve":"CVE-2023-40217","qid":"199948","title":"Ubuntu Security Notification for Python Vulnerabilities (USN-6513-1)"},{"cve":"CVE-2023-40217","qid":"199954","title":"Ubuntu Security Notification for Python Vulnerability (USN-6513-2)"},{"cve":"CVE-2023-40217","qid":"242109","title":"Red Hat Update for python3.9 (RHSA-2023:5472)"},{"cve":"CVE-2023-40217","qid":"242113","title":"Red Hat Update for python3.9 (RHSA-2023:5462)"},{"cve":"CVE-2023-40217","qid":"242119","title":"Red Hat Update for python3.11 (RHSA-2023:5456)"},{"cve":"CVE-2023-40217","qid":"242121","title":"Red Hat Update for python3.11 (RHSA-2023:5463)"},{"cve":"CVE-2023-40217","qid":"242130","title":"Red Hat Update for python3 (RHSA-2023:5531)"},{"cve":"CVE-2023-40217","qid":"242133","title":"Red Hat Update for python3 (RHSA-2023:5528)"},{"cve":"CVE-2023-40217","qid":"242232","title":"Red Hat Update for python27:2.7 (RHSA-2023:5991)"},{"cve":"CVE-2023-40217","qid":"242233","title":"Red Hat Update for python3 (RHSA-2023:5997)"},{"cve":"CVE-2023-40217","qid":"242235","title":"Red Hat Update for python27:2.7 (RHSA-2023:5993)"},{"cve":"CVE-2023-40217","qid":"242236","title":"Red Hat Update for python3 (RHSA-2023:5995)"},{"cve":"CVE-2023-40217","qid":"242240","title":"Red Hat Update for python27:2.7 (RHSA-2023:5992)"},{"cve":"CVE-2023-40217","qid":"242242","title":"Red Hat Update for python39:3.9 and python39-devel:3.9 (RHSA-2023:6068)"},{"cve":"CVE-2023-40217","qid":"242243","title":"Red Hat Update for python39:3.9 and python39-devel:3.9 (RHSA-2023:6069)"},{"cve":"CVE-2023-40217","qid":"242344","title":"Red Hat Update for rh-python38-python (RHSA-2023:6793)"},{"cve":"CVE-2023-40217","qid":"242350","title":"Red Hat Update for python3 (RHSA-2023:6823)"},{"cve":"CVE-2023-40217","qid":"242360","title":"Red Hat Update for python27:2.7 (RHSA-2023:5994)"},{"cve":"CVE-2023-40217","qid":"242375","title":"Red Hat Update for python27:2.7 (RHSA-2023:5990)"},{"cve":"CVE-2023-40217","qid":"242383","title":"Red Hat Update for python39:3.9 and python39-devel:3.9 (RHSA-2023:5998)"},{"cve":"CVE-2023-40217","qid":"242393","title":"Red Hat Update for python3 (RHSA-2023:5996)"},{"cve":"CVE-2023-40217","qid":"242406","title":"Red Hat Update for python (RHSA-2023:6885)"},{"cve":"CVE-2023-40217","qid":"257264","title":"Centos Security Update for python3"},{"cve":"CVE-2023-40217","qid":"257266","title":"Centos Security Update for python"},{"cve":"CVE-2023-40217","qid":"257286","title":"CentOS Security Update for python3 (CESA-2023:6823)"},{"cve":"CVE-2023-40217","qid":"257289","title":"CentOS Security Update for python (CESA-2023:6885)"},{"cve":"CVE-2023-40217","qid":"296105","title":"Oracle Solaris 11.4 Support Repository Update (SRU) 63.157.1 Missing (CPUOCT2023)"},{"cve":"CVE-2023-40217","qid":"330152","title":"IBM AIX Multiple Vulnerabilities (python_advisory6)"},{"cve":"CVE-2023-40217","qid":"356309","title":"Amazon Linux Security Advisory for python38 : ALASPYTHON3.8-2023-010"},{"cve":"CVE-2023-40217","qid":"356555","title":"Amazon Linux Security Advisory for python27 : ALAS-2023-1876"},{"cve":"CVE-2023-40217","qid":"356568","title":"Amazon Linux Security Advisory for python38 : ALAS2PYTHON3.8-2023-010"},{"cve":"CVE-2023-40217","qid":"356988","title":"Amazon Linux Security Advisory for python27 : AL2012-2023-472"},{"cve":"CVE-2023-40217","qid":"379037","title":"Alibaba Cloud Linux Security Update for python3 (ALINUX2-SA-2023:0047)"},{"cve":"CVE-2023-40217","qid":"379638","title":"Alibaba Cloud Linux Security Update for python3 (ALINUX3-SA-2024:0040)"},{"cve":"CVE-2023-40217","qid":"505927","title":"Alpine Linux Security Update for python3"},{"cve":"CVE-2023-40217","qid":"6000148","title":"Debian Security Update for python2.7 (DLA 3575-1)"},{"cve":"CVE-2023-40217","qid":"6000279","title":"Debian Security Update for python3.7 (DLA 3614-1)"},{"cve":"CVE-2023-40217","qid":"673594","title":"EulerOS Security Update for python (EulerOS-SA-2024-1160)"},{"cve":"CVE-2023-40217","qid":"673601","title":"EulerOS Security Update for python3 (EulerOS-SA-2023-3227)"},{"cve":"CVE-2023-40217","qid":"673789","title":"EulerOS Security Update for python3 (EulerOS-SA-2023-3284)"},{"cve":"CVE-2023-40217","qid":"673950","title":"EulerOS Security Update for python3 (EulerOS-SA-2023-3192)"},{"cve":"CVE-2023-40217","qid":"673956","title":"EulerOS Security Update for python3 (EulerOS-SA-2023-3256)"},{"cve":"CVE-2023-40217","qid":"754890","title":"SUSE Enterprise Linux Security Update for python39 (SUSE-SU-2023:3708-1)"},{"cve":"CVE-2023-40217","qid":"754905","title":"SUSE Enterprise Linux Security Update for python36 (SUSE-SU-2023:3731-1)"},{"cve":"CVE-2023-40217","qid":"754906","title":"SUSE Enterprise Linux Security Update for python (SUSE-SU-2023:3730-1)"},{"cve":"CVE-2023-40217","qid":"754945","title":"SUSE Enterprise Linux Security Update for python3 (SUSE-SU-2023:3804-1)"},{"cve":"CVE-2023-40217","qid":"754962","title":"SUSE Enterprise Linux Security Update for python3 (SUSE-SU-2023:3828-1)"},{"cve":"CVE-2023-40217","qid":"754966","title":"SUSE Enterprise Linux Security Update for python310 (SUSE-SU-2023:3824-1)"},{"cve":"CVE-2023-40217","qid":"755007","title":"SUSE Enterprise Linux Security Update for python (SUSE-SU-2023:3933-1)"},{"cve":"CVE-2023-40217","qid":"755009","title":"SUSE Enterprise Linux Security Update for python3 (SUSE-SU-2023:3939-1)"},{"cve":"CVE-2023-40217","qid":"755025","title":"SUSE Enterprise Linux Security Update for python311 (SUSE-SU-2023:3943-1)"},{"cve":"CVE-2023-40217","qid":"755918","title":"SUSE Enterprise Linux Security Update for python3 (SUSE-SU-2024:0785-1)"},{"cve":"CVE-2023-40217","qid":"755919","title":"SUSE Enterprise Linux Security Update for python39 (SUSE-SU-2024:0784-1)"},{"cve":"CVE-2023-40217","qid":"908072","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for python3 (31170-1)"},{"cve":"CVE-2023-40217","qid":"941279","title":"AlmaLinux Security Update for python3.11 (ALSA-2023:5463)"},{"cve":"CVE-2023-40217","qid":"941282","title":"AlmaLinux Security Update for python3.9 (ALSA-2023:5462)"},{"cve":"CVE-2023-40217","qid":"941285","title":"AlmaLinux Security Update for python3.11 (ALSA-2023:5456)"},{"cve":"CVE-2023-40217","qid":"941324","title":"AlmaLinux Security Update for python3 (ALSA-2023:5997)"},{"cve":"CVE-2023-40217","qid":"941325","title":"AlmaLinux Security Update for python27:2.7 (ALSA-2023:5994)"},{"cve":"CVE-2023-40217","qid":"941327","title":"AlmaLinux Security Update for python39:3.9 and python39-devel:3.9 (ALSA-2023:5998)"},{"cve":"CVE-2023-40217","qid":"961041","title":"Rocky Linux Security Update for python3.11 (RLSA-2023:5463)"},{"cve":"CVE-2023-40217","qid":"961051","title":"Rocky Linux Security Update for python3 (RLSA-2023:5997)"}]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"cve@mitre.org","ID":"CVE-2023-40217","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"n/a","version":{"version_data":[{"version_value":"n/a"}]}}]},"vendor_name":"n/a"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"An issue was discovered in Python before 3.8.18, 3.9.x before 3.9.18, 3.10.x before 3.10.13, and 3.11.x before 3.11.5. It primarily affects servers (such as HTTP servers) that use TLS client authentication. If a TLS server-side socket is created, receives data into the socket buffer, and then is closed quickly, there is a brief window where the SSLSocket instance will detect the socket as \"not connected\" and won't initiate a handshake, but buffered data will still be readable from the socket buffer. This data will not be authenticated if the server-side TLS peer is expecting client certificate authentication, and is indistinguishable from valid TLS stream data. Data is limited in size to the amount that will fit in the buffer. (The TLS connection cannot directly be used for data exfiltration because the vulnerable code path requires that the connection be closed on initialization of the SSLSocket.)"}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"n/a"}]}]},"references":{"reference_data":[{"url":"https://www.python.org/dev/security/","refsource":"MISC","name":"https://www.python.org/dev/security/"},{"refsource":"CONFIRM","name":"https://mail.python.org/archives/list/security-announce@python.org/thread/PEPLII27KYHLF4AK3ZQGKYNCRERG4YXY/","url":"https://mail.python.org/archives/list/security-announce@python.org/thread/PEPLII27KYHLF4AK3ZQGKYNCRERG4YXY/"},{"refsource":"MLIST","name":"[debian-lts-announce] 20230920 [SECURITY] [DLA 3575-1] python2.7 security update","url":"https://lists.debian.org/debian-lts-announce/2023/09/msg00022.html"},{"refsource":"CONFIRM","name":"https://security.netapp.com/advisory/ntap-20231006-0014/","url":"https://security.netapp.com/advisory/ntap-20231006-0014/"},{"refsource":"MLIST","name":"[debian-lts-announce] 20231011 [SECURITY] [DLA 3614-1] python3.7 security update","url":"https://lists.debian.org/debian-lts-announce/2023/10/msg00017.html"}]}},"nvd":{"publishedDate":"2023-08-25 01:15:00","lastModifiedDate":"2023-11-07 04:20:00","problem_types":["NVD-CWE-noinfo"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"NONE","availabilityImpact":"NONE","baseScore":5.3,"baseSeverity":"MEDIUM"},"exploitabilityScore":3.9,"impactScore":1.4}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:python:python:*:*:*:*:*:*:*:*","versionStartIncluding":"3.11.0","versionEndExcluding":"3.11.5","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:python:python:*:*:*:*:*:*:*:*","versionStartIncluding":"3.10.0","versionEndExcluding":"3.10.13","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:python:python:*:*:*:*:*:*:*:*","versionStartIncluding":"3.9.0","versionEndExcluding":"3.9.18","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:python:python:*:*:*:*:*:*:*:*","versionEndExcluding":"3.8.18","cpe_name":[]}]}]}},"legacy_mitre":{"record":null,"notes":[]}}}