Race condition in Python

#VU82079 Race condition in Python

Published: 2023-10-17

Vulnerability identifier: #VU82079

Vulnerability risk: Medium

CVSSv3.1: 5.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-48566

CWE-ID: CWE-362

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Python
Universal components / Libraries / Scripting languages

Vendor:

Description

The vulnerability allows a remote attacker to gain access to sensitive information,

The vulnerability exists due to a race condition in compare_digest in Lib/hmac.py. A remote attacker can exploit the race and gain unauthorized access to sensitive information.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

External links
http://bugs.python.org/issue40791
http://lists.debian.org/debian-lts-announce/2023/09/msg00022.html
http://security.netapp.com/advisory/ntap-20231006-0013/
http://lists.debian.org/debian-lts-announce/2023/10/msg00017.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in Dell Networking OS10

SUSE update for python3

Dell EMC NetWorker vProxy update for third-party components

Multiple vulnerabilities in IBM Robotic Process Automation for Cloud Pak

VMware Tanzu products update for Python

Multiple vulnerabilities in IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data

Multiple vulnerabilities in Index Engines CyberSense

Multiple vulnerabilities in Dell EMC Enterprise SONiC

SUSE update for python