#VU98567 Race condition in Python - CVE-2024-3219

Cybersecurity Help s.r.o.

Published: 2024-10-15

Vulnerability identifier: #VU98567

Vulnerability risk: Low

CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-3219

CWE-ID: CWE-362

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Python
Universal components / Libraries / Scripting languages

Vendor: Python.org

Description

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to a race condition within the socket module, which provides a pure-Python fallback to the socket.socketpair() function for platforms that don’t support AF_UNIX, such as Windows. This pure-Python implementation uses AF_INET or AF_INET6 to create a local connected pair of sockets. The connection between the two sockets was not verified before passing the two sockets back to the user, which leaves the server socket vulnerable to a connection race from a malicious local peer.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Python: 3.5 - 3.5.10, 3.6 - 3.6.15, 3.7 - 3.7.17, 3.8 - 3.8.19, 3.9.0b4 - 3.9.19, 3.10.0 - 3.12.4

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Dell APEX Cloud Platform for Microsoft Azure update for third-party components

openEuler 22.03 LTS SP4 update for python3

openEuler 22.03 LTS SP3 update for python3

openEuler 22.03 LTS SP1 update for python3

openEuler 24.03 LTS update for python3

Information disclosure in Python