-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
improve some python 2023 CVE version ranges
Signed-off-by: Weston Steimel <commits@weston.slmail.me>
- Loading branch information
1 parent
64742a2
commit afed90c
Showing
4 changed files
with
184 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,38 @@ | ||
{ | ||
"additionalMetadata": { | ||
"cna": "mitre", | ||
"cveId": "CVE-2023-33595", | ||
"description": "CPython v3.12.0 alpha 7 was discovered to contain a heap use-after-free via the function ascii_decode at /Objects/unicodeobject.c.", | ||
"reason": "Improve version ranges to indicate fix", | ||
"references": [ | ||
"https://github.com/python/cpython/issues/103824", | ||
"https://github.com/python/cpython/pull/103993/commits/c120bc2d354ca3d27d0c7a53bf65574ddaabaf3a" | ||
] | ||
}, | ||
"adp": { | ||
"affected": [ | ||
{ | ||
"collectionURL": "https://github.com", | ||
"cpes": [ | ||
"cpe:2.3:a:python:python:*:*:*:*:*:*:*:*" | ||
], | ||
"packageName": "python/cpython", | ||
"product": "CPython", | ||
"repo": "https://github.com/python/cpython", | ||
"vendor": "Python Software Foundation", | ||
"versions": [ | ||
{ | ||
"lessThan": "3.12.0-alpha8", | ||
"status": "affected", | ||
"version": "3.12.0-alpha0", | ||
"versionType": "python" | ||
} | ||
] | ||
} | ||
], | ||
"providerMetadata": { | ||
"orgId": "00000000-0000-4000-8000-000000000000", | ||
"shortName": "anchoreadp" | ||
} | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,51 @@ | ||
{ | ||
"additionalMetadata": { | ||
"cna": "mitre", | ||
"cveId": "CVE-2023-38898", | ||
"description": "An issue in Python cpython v.3.7 allows an attacker to obtain sensitive information via the _asyncio._swap_current_task component. NOTE: this is disputed by the vendor because (1) neither 3.7 nor any other release is affected (it is a bug in some 3.12 pre-releases); (2) there are no common scenarios in which an adversary can call _asyncio._swap_current_task but does not already have the ability to call arbitrary functions; and (3) there are no common scenarios in which sensitive information, which is not already accessible to an adversary, becomes accessible through this bug.", | ||
"reason": "Improve version ranges to indicate fix", | ||
"references": [ | ||
"https://github.com/python/cpython/issues/105987" | ||
] | ||
}, | ||
"adp": { | ||
"affected": [ | ||
{ | ||
"collectionURL": "https://github.com", | ||
"cpes": [ | ||
"cpe:2.3:a:python:python:*:*:*:*:*:*:*:*" | ||
], | ||
"packageName": "python/cpython", | ||
"product": "CPython", | ||
"repo": "https://github.com/python/cpython", | ||
"vendor": "Python Software Foundation", | ||
"versions": [ | ||
{ | ||
"lessThan": "3.13.0a1", | ||
"status": "affected", | ||
"version": "3.13.0a0", | ||
"versionType": "python" | ||
}, | ||
{ | ||
"lessThan": "3.12.0b4", | ||
"status": "affected", | ||
"version": "0", | ||
"versionType": "python" | ||
} | ||
] | ||
} | ||
], | ||
"providerMetadata": { | ||
"orgId": "00000000-0000-4000-8000-000000000000", | ||
"shortName": "anchoreadp" | ||
}, | ||
"references": [ | ||
{ | ||
"url": "https://github.com/python/cpython/pull/106099" | ||
}, | ||
{ | ||
"url": "https://github.com/python/cpython/pull/105989" | ||
} | ||
] | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,48 @@ | ||
{ | ||
"additionalMetadata": { | ||
"cna": "mitre", | ||
"cveId": "CVE-2023-41105", | ||
"description": "An issue was discovered in Python 3.11 through 3.11.4. If a path containing '\\0' bytes is passed to os.path.normpath(), the path will be truncated unexpectedly at the first '\\0' byte. There are plausible cases in which an application would have rejected a filename for security reasons in Python 3.10.x or earlier, but that filename is no longer rejected in Python 3.11.x.", | ||
"reason": "Improve version ranges to indicate fix", | ||
"references": [ | ||
"https://github.com/python/cpython/issues/106242", | ||
"https://github.com/python/cpython/pull/107981", | ||
"https://github.com/python/cpython/pull/107982", | ||
"https://github.com/python/cpython/pull/107983", | ||
"https://mail.python.org/archives/list/security-announce%40python.org/thread/D6CDW3ZZC5D444YGL3VQUY6D4ECMCQLD/", | ||
"https://security.netapp.com/advisory/ntap-20231006-0015/" | ||
] | ||
}, | ||
"adp": { | ||
"affected": [ | ||
{ | ||
"collectionURL": "https://github.com", | ||
"cpes": [ | ||
"cpe:2.3:a:python:python:*:*:*:*:*:*:*:*" | ||
], | ||
"packageName": "python/cpython", | ||
"product": "CPython", | ||
"repo": "https://github.com/python/cpython", | ||
"vendor": "Python Software Foundation", | ||
"versions": [ | ||
{ | ||
"lessThan": "3.12.0rc2", | ||
"status": "affected", | ||
"version": "3.12.0a1", | ||
"versionType": "python" | ||
}, | ||
{ | ||
"lessThan": "3.11.5", | ||
"status": "affected", | ||
"version": "3.11.0", | ||
"versionType": "python" | ||
} | ||
] | ||
} | ||
], | ||
"providerMetadata": { | ||
"orgId": "00000000-0000-4000-8000-000000000000", | ||
"shortName": "anchoreadp" | ||
} | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,47 @@ | ||
{ | ||
"additionalMetadata": { | ||
"cna": "psf", | ||
"cveId": "CVE-2023-6507", | ||
"description": "An issue was found in CPython 3.12.0 `subprocess` module on POSIX platforms. The issue was fixed in CPython 3.12.1 and does not affect other stable releases.\n\nWhen using the `extra_groups=` parameter with an empty list as a value (ie `extra_groups=[]`) the logic regressed to not call `setgroups(0, NULL)` before calling `exec()`, thus not dropping the original processes' groups before starting the new process. There is no issue when the parameter isn't used or when any value is used besides an empty list.\n\nThis issue only impacts CPython processes run with sufficient privilege to make the `setgroups` system call (typically `root`).", | ||
"reason": "Improve version ranges to indicate fix", | ||
"references": [ | ||
"https://github.com/python/cpython/commit/10e9bb13b8dcaa414645b9bd10718d8f7179e82b", | ||
"https://github.com/python/cpython/commit/85bbfa8a4bbdbb61a3a84fbd7cb29a4096ab8a06", | ||
"https://github.com/python/cpython/commit/9fe7655c6ce0b8e9adc229daf681b6d30e6b1610", | ||
"https://github.com/python/cpython/issues/112334", | ||
"https://mail.python.org/archives/list/security-announce@python.org/thread/AUL7QFHBLILGISS7U63B47AYSSGJJQZD/" | ||
] | ||
}, | ||
"adp": { | ||
"affected": [ | ||
{ | ||
"collectionURL": "https://github.com", | ||
"cpes": [ | ||
"cpe:2.3:a:python:python:*:*:*:*:*:*:*:*" | ||
], | ||
"packageName": "python/cpython", | ||
"product": "CPython", | ||
"repo": "https://github.com/python/cpython", | ||
"vendor": "Python Software Foundation", | ||
"versions": [ | ||
{ | ||
"lessThan": "3.12.1", | ||
"status": "affected", | ||
"version": "3.12.0", | ||
"versionType": "python" | ||
}, | ||
{ | ||
"lessThan": "3.13.0a3", | ||
"status": "affected", | ||
"version": "3.13.0a1", | ||
"versionType": "python" | ||
} | ||
] | ||
} | ||
], | ||
"providerMetadata": { | ||
"orgId": "00000000-0000-4000-8000-000000000000", | ||
"shortName": "anchoreadp" | ||
} | ||
} | ||
} |