CVE-2019-19275

Severity Score

7.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

typed_ast 1.3.0 and 1.3.1 has an ast_for_arguments out-of-bounds read. An attacker with the ability to cause a Python interpreter to parse Python source (but not necessarily execute it) may be able to crash the interpreter process. This could be a concern, for example, in a web-based service that parses (but does not execute) Python code. (This issue also affected certain Python 3.8.0-alpha prereleases.)

typed_ast versiones 1.3.0 y 1.3.1, presenta una lectura fuera de límites de la función ast_for_arguments. Un atacante con la capacidad de causar que un intérprete de Python analice el origen de Python (pero no necesariamente lo ejecute) puede bloquear el proceso del intérprete. Esto podría ser una preocupación, por ejemplo, en un servicio basado en la web que analiza (pero no ejecuta) el código Python. (Este problema también afectó a determinadas versiones previas de Python 3.8.0-alpha).

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

None

Integrity

None

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2019-11-26 CVE Reserved
2019-11-26 CVE Published
2024-03-21 EPSS Updated
2024-08-05 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-125: Out-of-bounds Read

CAPEC

References (6)

URL	Tag	Source

URL	Date	SRC

URL	Date	SRC
https://bugs.python.org/issue36495	2023-11-07
https://github.com/python/cpython/commit/a4d78362397fc3bced6ea80fbc7b5f4827aec55e	2023-11-07
https://github.com/python/cpython/commit/dcfcd146f8e6fc5c2fc16a4c192a0c5f5ca8c53c	2023-11-07
https://github.com/python/typed_ast/commit/156afcb26c198e162504a57caddfe0acd9ed7dce	2023-11-07
https://github.com/python/typed_ast/commit/dc317ac9cff859aa84eeabe03fb5004982545b3b	2023-11-07

URL	Date	SRC
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LG5H4Q6LFVRX7SFXLBEJMNQFI4T5SCEA	2023-11-07

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Python Search vendor "Python"		Typed Ast Search vendor "Python" for product "Typed Ast"				1.3.0 Search vendor "Python" for product "Typed Ast" and version "1.3.0"		-		Affected
Python Search vendor "Python"		Typed Ast Search vendor "Python" for product "Typed Ast"				1.3.1 Search vendor "Python" for product "Typed Ast" and version "1.3.1"		-		Affected