CVE-2023-40217 – python: TLS handshake bypass
https://notcve.org/view.php?id=CVE-2023-40217
An issue was discovered in Python before 3.8.18, 3.9.x before 3.9.18, 3.10.x before 3.10.13, and 3.11.x before 3.11.5. It primarily affects servers (such as HTTP servers) that use TLS client authentication. If a TLS server-side socket is created, receives data into the socket buffer, and then is closed quickly, there is a brief window where the SSLSocket instance will detect the socket as "not connected" and won't initiate a handshake, but buffered data will still be readable from the socket buffer. This data will not be authenticated if the server-side TLS peer is expecting client certificate authentication, and is indistinguishable from valid TLS stream data. Data is limited in size to the amount that will fit in the buffer. • https://lists.debian.org/debian-lts-announce/2023/09/msg00022.html https://lists.debian.org/debian-lts-announce/2023/10/msg00017.html https://mail.python.org/archives/list/security-announce%40python.org/thread/PEPLII27KYHLF4AK3ZQGKYNCRERG4YXY https://security.netapp.com/advisory/ntap-20231006-0014 https://www.python.org/dev/security https://access.redhat.com/security/cve/CVE-2023-40217 https://bugzilla.redhat.com/show_bug.cgi?id=2235789 • CWE-305: Authentication Bypass by Primary Weakness •
CVE-2023-41105 – python: file path truncation at \0 characters
https://notcve.org/view.php?id=CVE-2023-41105
An issue was discovered in Python 3.11 through 3.11.4. If a path containing '\0' bytes is passed to os.path.normpath(), the path will be truncated unexpectedly at the first '\0' byte. There are plausible cases in which an application would have rejected a filename for security reasons in Python 3.10.x or earlier, but that filename is no longer rejected in Python 3.11.x. Python 3.11 os.path.normpath() function is vulnerable to path truncation if a null byte is inserted in the middle of passed path. This may result in bypass of allow lists if implemented before the verification of the path. • https://github.com/JawadPy/CVE-2023-41105-Exploit https://github.com/python/cpython/issues/106242 https://github.com/python/cpython/pull/107981 https://github.com/python/cpython/pull/107982 https://github.com/python/cpython/pull/107983 https://mail.python.org/archives/list/security-announce%40python.org/thread/D6CDW3ZZC5D444YGL3VQUY6D4ECMCQLD https://security.netapp.com/advisory/ntap-20231006-0015 https://access.redhat.com/security/cve/CVE-2023-41105 https://bugzilla.redhat.com/show_bug.cgi • CWE-158: Improper Neutralization of Null Byte or NUL Character CWE-426: Untrusted Search Path •
CVE-2022-48564 – python: DoS when processing malformed Apple Property List files in binary format
https://notcve.org/view.php?id=CVE-2022-48564
read_ints in plistlib.py in Python through 3.9.1 is vulnerable to a potential DoS attack via CPU and RAM exhaustion when processing malformed Apple Property List files in binary format. A vulnerability was found in the Python core plistlib library within the read_ints() function in the plistlib.py file. In malformed input, the implementation can be manipulated to create an argument for struct.unpack(). This issue can lead to excessive CPU and memory consumption, resulting in a MemError, as it constructs the 'format' argument for unpack(). This flaw allows an attacker to employ a binary plist input, potentially executing a denial of service (DoS) attack by exhausting CPU and RAM resources. • https://bugs.python.org/issue42103 https://lists.debian.org/debian-lts-announce/2023/10/msg00017.html https://security.netapp.com/advisory/ntap-20230929-0009 https://access.redhat.com/security/cve/CVE-2022-48564 https://bugzilla.redhat.com/show_bug.cgi?id=2249750 • CWE-400: Uncontrolled Resource Consumption •
CVE-2022-48566
https://notcve.org/view.php?id=CVE-2022-48566
An issue was discovered in compare_digest in Lib/hmac.py in Python through 3.9.1. Constant-time-defeating optimisations were possible in the accumulator variable in hmac.compare_digest. • https://bugs.python.org/issue40791 https://lists.debian.org/debian-lts-announce/2023/09/msg00022.html https://lists.debian.org/debian-lts-announce/2023/10/msg00017.html https://security.netapp.com/advisory/ntap-20231006-0013 • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •
CVE-2022-48560 – python: use after free in heappushpop() of heapq module
https://notcve.org/view.php?id=CVE-2022-48560
A use-after-free exists in Python through 3.9 via heappushpop in heapq. A use-after-free vulnerability was found in Python via the heappushpop function in the heapq module. This flaw allows an attacker to submit a specially crafted request, causing a service disruption that leads to a denial of service attack. • https://bugs.python.org/issue39421 https://lists.debian.org/debian-lts-announce/2023/09/msg00022.html https://lists.debian.org/debian-lts-announce/2023/10/msg00017.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JZ5OOBWNYWXFTZDMCGHJVGDLDTHLWITJ https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VO7Y2YZSDK3UYJD2KBGLXRTGNG6T326J https://security.netapp.com/advisory/ntap-20230929-0008 https://access.redhat.com/security/cve/CVE-2022 • CWE-416: Use After Free •