CVSS: 6.1EPSS: 0%CPEs: 3EXPL: 0CVE-2023-6507 – Groups not dropped before running subprocess when using empty 'extra_groups' parameter
https://notcve.org/view.php?id=CVE-2023-6507
08 Dec 2023 — An issue was found in CPython 3.12.0 `subprocess` module on POSIX platforms. The issue was fixed in CPython 3.12.1 and does not affect other stable releases. When using the `extra_groups=` parameter with an empty list as a value (ie `extra_groups=[]`) the logic regressed to not call `setgroups(0, NULL)` before calling `exec()`, thus not dropping the original processes' groups before starting the new process. There is no issue when the parameter isn't used or when any value is used besides an empty list. Thi... • https://github.com/python/cpython/commit/10e9bb13b8dcaa414645b9bd10718d8f7179e82b • CWE-269: Improper Privilege Management •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 1CVE-2023-38898
https://notcve.org/view.php?id=CVE-2023-38898
15 Aug 2023 — An issue in Python cpython v.3.7 allows an attacker to obtain sensitive information via the _asyncio._swap_current_task component. NOTE: this is disputed by the vendor because (1) neither 3.7 nor any other release is affected (it is a bug in some 3.12 pre-releases); (2) there are no common scenarios in which an adversary can call _asyncio._swap_current_task but does not already have the ability to call arbitrary functions; and (3) there are no common scenarios in which sensitive information, which is not al... • https://github.com/python/cpython/issues/105987 •