Back

CVE-2024-3219

July 29, 2024, 10:15 p.m.

Received
CVE has been recently published to the CVE List and has been received by the NVD.

Products

CPython

  • 3.5

Source

cna@python.org

Tags

cna@python.org
2024-07-29
CVE-2024-3219

CVE-2024-3219 details

Published : July 29, 2024, 10:15 p.m.
Last Modified : July 29, 2024, 10:15 p.m.

Description

There is a MEDIUM severity vulnerability affecting CPython. The “socket” module provides a pure-Python fallback to the socket.socketpair() function for platforms that don’t support AF_UNIX, such as Windows. This pure-Python implementation uses AF_INET or AF_INET6 to create a local connected pair of sockets. The connection between the two sockets was not verified before passing the two sockets back to the user, which leaves the server socket vulnerable to a connection race from a malicious local peer. Platforms that support AF_UNIX such as Linux and macOS are not affected by this vulnerability. Versions prior to CPython 3.5 are not affected due to the vulnerable API not being included.

CVSS Score

1 2 3 4 5 6 7 8 9 10

Weakness

Weakness Name Description

References

URL Source
https://github.com/python/cpython/issues/122133 cna@python.org
https://github.com/python/cpython/pull/122134 cna@python.org
https://mail.python.org/archives/list/security-announce@python.org/thread/WYKDQWIERRE2ICIYMSVRZJO33GSCWU2B/ cna@python.org
This website uses the NVD API, but is not approved or certified by it.