NVD Vulnerability Detail

CVE-2023-40217

Summary	An issue was discovered in Python before 3.8.18, 3.9.x before 3.9.18, 3.10.x before 3.10.13, and 3.11.x before 3.11.5. It primarily affects servers (such as HTTP servers) that use TLS client authentication. If a TLS server-side socket is created, receives data into the socket buffer, and then is closed quickly, there is a brief window where the SSLSocket instance will detect the socket as "not connected" and won't initiate a handshake, but buffered data will still be readable from the socket buffer. This data will not be authenticated if the server-side TLS peer is expecting client certificate authentication, and is indistinguishable from valid TLS stream data. Data is limited in size to the amount that will fit in the buffer. (The TLS connection cannot directly be used for data exfiltration because the vulnerable code path requires that the connection be closed on initialization of the SSLSocket.)
Publication Date	Aug. 25, 2023, 10:15 a.m.
Registration Date	Aug. 25, 2023, 4 p.m.
Last Update	Nov. 21, 2024, 5:19 p.m.

Affected software configurations

Related information, measures and tools

No	URL	タグ
1	https://lists.debian.org/debian-lts-announce/2023/09/msg00022.html
2	https://lists.debian.org/debian-lts-announce/2023/09/msg00022.html
3	https://lists.debian.org/debian-lts-announce/2023/10/msg00017.html
4	https://lists.debian.org/debian-lts-announce/2023/10/msg00017.html
5	https://mail.python.org/archives/list/security-announce%40python.org/thread/PEPLII27KYHLF4AK3ZQGKYNCRERG4YXY/
6	https://mail.python.org/archives/list/security-announce%40python.org/thread/PEPLII27KYHLF4AK3ZQGKYNCRERG4YXY/
7	https://security.netapp.com/advisory/ntap-20231006-0014/
8	https://security.netapp.com/advisory/ntap-20231006-0014/
9	https://www.python.org/dev/security/	Vendor Advisory
10	https://www.python.org/dev/security/	Vendor Advisory

Common Vulnerabilities List

JVN Vulnerability Information

Python Software Foundation の Python における脆弱性

Title	Python Software Foundation の Python における脆弱性
Summary	Python Software Foundation の Python には、不特定の脆弱性が存在します。
Possible impacts	情報を取得される可能性があります。
Solution	ベンダアドバイザリまたはパッチ情報が公開されています。参考情報を参照して適切な対策を実施してください。
Publication Date	Aug. 25, 2023, midnight
Registration Date	Dec. 13, 2023, 4:16 p.m.
Last Update	April 18, 2025, 4:26 p.m.

Affected System

Python Software Foundation

Python 3.10.0 以上 3.10.13 未満

Python 3.11.0 以上 3.11.5 未満

Python 3.8.18 未満

Python 3.9.0 以上 3.9.18 未満

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2023-40217	https://www.cve.org/CVERecord?id=CVE-2023-40217
National Vulnerability Database (NVD)
2	CVE-2023-40217	https://nvd.nist.gov/vuln/detail/CVE-2023-40217

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-noinfo	https://www.ipa.go.jp/security/vuln/scap/cwe.html

その他

No	Name	URL
ICS-CERT ADVISORY
1	ICSA-25-105-08	https://www.cisa.gov/news-events/ics-advisories/icsa-25-105-08
JVN
2	JVNVU#92488108	https://jvn.jp/vu/JVNVU92488108/index.html
関連文書
3	lists.debian.org (msg00017)	https://lists.debian.org/debian-lts-announce/2023/10/msg00017.html
4	lists.debian.org (msg00022)	https://lists.debian.org/debian-lts-announce/2023/09/msg00022.html
5	mail.python.org (PEPLII27KYHLF4AK3ZQGKYNCRERG4YXY)	https://mail.python.org/archives/list/security-announce%40python.org/thread/PEPLII27KYHLF4AK3ZQGKYNCRERG4YXY/
6	security.netapp.com (ntap-20231006-0014)	https://security.netapp.com/advisory/ntap-20231006-0014/
7	www.python.org (security)	https://www.python.org/dev/security/

Change Log

No	Changed Details	Date of change
1	[2023年12月13日] 掲載	Dec. 13, 2023, 4:16 p.m.
2	[2025年04月18日] 参考情報：JVN (JVNVU#92488108) を追加参考情報：ICS-CERT ADVISORY (ICSA-25-105-08) を追加	April 18, 2025, 4:26 p.m.