CVE-2023-40217: 
NixOS vulnerability analysis and mitigation

CVE-2023-40217 is a vulnerability discovered in Python versions before 3.8.18, 3.9.x before 3.9.18, 3.10.x before 3.10.13, and 3.11.x before 3.11.5. The vulnerability primarily affects servers (such as HTTP servers) that use TLS client authentication (NVD). It was discovered and disclosed in August 2023, with patches released on August 24, 2023 (Python Security).

The vulnerability occurs when a TLS server-side socket is created, receives data into the socket buffer, and is then closed quickly. In this scenario, there is a brief window where the SSLSocket instance detects the socket as 'not connected' and won't initiate a handshake, but buffered data remains readable from the socket buffer. This data bypasses authentication if the server-side TLS peer expects client certificate authentication, and is indistinguishable from valid TLS stream data (NVD). The vulnerability has been assigned a CVSS base score of 5.3 (MEDIUM) with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N (NetApp Advisory).

The vulnerability primarily impacts HTTPS servers and other server-side protocols using TLS client authentication (such as mTLS). While there is no risk of data exfiltration directly from the malicious TLS connection, the vulnerability does carry risk for modifying or deleting resources which are authenticated using only TLS client certificates. The vulnerability affects clients who read and process data from the server after a TLS handshake without sending data first (Python Security).

The recommended mitigation is to upgrade to Python versions 3.11.5, 3.10.13, 3.9.18, or 3.8.18. Alternatively, users can add a call to SSLSocket.getpeername() after calling SSLSocket.wrap_socket() before any calls to SSLSocket.recv(). This call will raise an OSError if the socket isn't connected, thus mitigating the vulnerability (Python Security).