CVE-2023-41105

python: file path truncation at \0 characters

Severity Score

7.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Attend

*SSVC

Descriptions

NVD
RedHat

An issue was discovered in Python 3.11 through 3.11.4. If a path containing '\0' bytes is passed to os.path.normpath(), the path will be truncated unexpectedly at the first '\0' byte. There are plausible cases in which an application would have rejected a filename for security reasons in Python 3.10.x or earlier, but that filename is no longer rejected in Python 3.11.x.

Python 3.11 os.path.normpath() function is vulnerable to path truncation if a null byte is inserted in the middle of passed path. This may result in bypass of allow lists if implemented before the verification of the path.

*Credits: N/A

CVSS Scores

NISTv3.1 7.5

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:Attend

Exploitation

None

Automatable

Yes

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2023-08-23 CVE Reserved
2023-08-23 CVE Published
2023-10-13 First Exploit
2024-09-24 EPSS Updated
2024-10-03 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-158: Improper Neutralization of Null Byte or NUL Character
CWE-426: Untrusted Search Path

CAPEC

References (9)

URL	Tag	Source
https://mail.python.org/archives/list/security-announce%40python.org/thread/D6CDW3ZZC5D444YGL3VQUY6D4ECMCQLD
https://security.netapp.com/advisory/ntap-20231006-0015	Third Party Advisory

URL	Date	SRC
https://github.com/JawadPy/CVE-2023-41105-Exploit	2023-10-13

URL	Date	SRC
https://github.com/python/cpython/issues/106242	2023-11-07
https://github.com/python/cpython/pull/107981	2023-11-07
https://github.com/python/cpython/pull/107982	2023-11-07
https://github.com/python/cpython/pull/107983	2023-11-07

URL	Date	SRC
https://access.redhat.com/security/cve/CVE-2023-41105	2023-11-14
https://bugzilla.redhat.com/show_bug.cgi?id=2235795	2023-11-14

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Python Search vendor "Python"		Python Search vendor "Python" for product "Python"				>= 3.11.0 <= 3.11.4 Search vendor "Python" for product "Python" and version " >= 3.11.0 <= 3.11.4"		-		Affected
Netapp Search vendor "Netapp"		Active Iq Unified Manager Search vendor "Netapp" for product "Active Iq Unified Manager"				-		windows		Affected