Products
CPython
- 3.5
Source
cna@python.org
Tags
CVE-2024-3219 details
Last Modified : July 29, 2024, 10:15 p.m.
Description
There is a MEDIUM severity vulnerability affecting CPython. The “socket” module provides a pure-Python fallback to the socket.socketpair() function for platforms that don’t support AF_UNIX, such as Windows. This pure-Python implementation uses AF_INET or AF_INET6 to create a local connected pair of sockets. The connection between the two sockets was not verified before passing the two sockets back to the user, which leaves the server socket vulnerable to a connection race from a malicious local peer. Platforms that support AF_UNIX such as Linux and macOS are not affected by this vulnerability. Versions prior to CPython 3.5 are not affected due to the vulnerable API not being included.
CVSS Score
1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 |
---|
Weakness
Weakness | Name | Description |
---|
References
URL | Source |
---|---|
https://github.com/python/cpython/issues/122133 | cna@python.org |
https://github.com/python/cpython/pull/122134 | cna@python.org |
https://mail.python.org/archives/list/security-announce@python.org/thread/WYKDQWIERRE2ICIYMSVRZJO33GSCWU2B/ | cna@python.org |