Risk | High |
Patch available | YES |
Number of vulnerabilities | 1 |
CVE-ID | CVE-2020-8315 |
CWE-ID | CWE-427 |
Exploitation vector | Network |
Public exploit | N/A |
Vulnerable software Subscribe |
CPython Universal components / Libraries / Scripting languages |
Vendor | Python.org |
Security Bulletin
This security bulletin contains one high risk vulnerability.
EUVDB-ID: #VU24843
Risk: High
CVSSv3.1: 8.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2020-8315
CWE-ID:
CWE-427 - Uncontrolled Search Path Element
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to direct calls to "LoadLibraryW()" in "getpathp.c" without any "LOAD_LIBRARY_SEARCH*" flags. A remote attacker can use a malicious copy of api-ms-win-core-path-l1-1-0.dll, which being loaded and used instead of the system's copy and execute arbitrary code on victim's system.
MitigationCybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versionsCPython: 3.6.0 - 3.8.1
External linkshttp://bugs.python.org/issue39401
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.