CVE-2019-19274 - OpenCVE

typed_ast 1.3.0 and 1.3.1 has a handle_keywordonly_args out-of-bounds read. An attacker with the ability to cause a Python interpreter to parse Python source (but not necessarily execute it) may be able to crash the interpreter process. This could be a concern, for example, in a web-based service that parses (but does not execute) Python code. (This issue also affected certain Python 3.8.0-alpha prereleases.)

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

AV:N/AC:L/Au:N/C:N/I:N/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Python	Typed Ast

Configuration 1 [-]

OR	cpe:2.3:a:python:typed_ast:1.3.0:::::::*
	cpe:2.3:a:python:typed_ast:1.3.1:::::::*

No data.

References

Link	Providers
https://bugs.python.org/issue36495
https://github.com/python/cpython/commit/a4d78362397fc3bced6ea80fbc7b5f4827aec55e
https://github.com/python/cpython/commit/dcfcd146f8e6fc5c2fc16a4c192a0c5f5ca8c53c
https://github.com/python/typed_ast/commit/156afcb26c198e162504a57caddfe0acd9ed7dce
https://github.com/python/typed_ast/commit/dc317ac9cff859aa84eeabe03fb5004982545b3b
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LG5H4Q6LFVRX7SFXLBEJMNQFI4T5SCEA/

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2019-11-26T14:08:25

Updated: 2024-08-05T02:09:39.543Z

Reserved: 2019-11-26T00:00:00

Link: CVE-2019-19274

Vulnrichment

No data.

NVD

Status : Modified

Published: 2019-11-26T15:15:12.770

Modified: 2023-11-07T03:07:37.060

Link: CVE-2019-19274

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "typed_ast 1.3.0 and 1.3.1 has a handle_keywordonly_args out-of-bounds read. An attacker with the ability to cause a Python interpreter to parse Python source (but not necessarily execute it) may be able to crash the interpreter process. This could be a concern, for example, in a web-based service that parses (but does not execute) Python code. (This issue also affected certain Python 3.8.0-alpha prereleases.)"}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2020-03-14T01:06:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://github.com/python/typed_ast/commit/156afcb26c198e162504a57caddfe0acd9ed7dce"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/python/cpython/commit/dcfcd146f8e6fc5c2fc16a4c192a0c5f5ca8c53c"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/python/cpython/commit/a4d78362397fc3bced6ea80fbc7b5f4827aec55e"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/python/typed_ast/commit/dc317ac9cff859aa84eeabe03fb5004982545b3b"}, {"tags": ["x_refsource_MISC"], "url": "https://bugs.python.org/issue36495"}, {"name": "FEDORA-2020-9b3dabc21c", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LG5H4Q6LFVRX7SFXLBEJMNQFI4T5SCEA/"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2019-19274", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "typed_ast 1.3.0 and 1.3.1 has a handle_keywordonly_args out-of-bounds read. An attacker with the ability to cause a Python interpreter to parse Python source (but not necessarily execute it) may be able to crash the interpreter process. This could be a concern, for example, in a web-based service that parses (but does not execute) Python code. (This issue also affected certain Python 3.8.0-alpha prereleases.)"}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://github.com/python/typed_ast/commit/156afcb26c198e162504a57caddfe0acd9ed7dce", "refsource": "MISC", "url": "https://github.com/python/typed_ast/commit/156afcb26c198e162504a57caddfe0acd9ed7dce"}, {"name": "https://github.com/python/cpython/commit/dcfcd146f8e6fc5c2fc16a4c192a0c5f5ca8c53c", "refsource": "MISC", "url": "https://github.com/python/cpython/commit/dcfcd146f8e6fc5c2fc16a4c192a0c5f5ca8c53c"}, {"name": "https://github.com/python/cpython/commit/a4d78362397fc3bced6ea80fbc7b5f4827aec55e", "refsource": "MISC", "url": "https://github.com/python/cpython/commit/a4d78362397fc3bced6ea80fbc7b5f4827aec55e"}, {"name": "https://github.com/python/typed_ast/commit/dc317ac9cff859aa84eeabe03fb5004982545b3b", "refsource": "MISC", "url": "https://github.com/python/typed_ast/commit/dc317ac9cff859aa84eeabe03fb5004982545b3b"}, {"name": "https://bugs.python.org/issue36495", "refsource": "MISC", "url": "https://bugs.python.org/issue36495"}, {"name": "FEDORA-2020-9b3dabc21c", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LG5H4Q6LFVRX7SFXLBEJMNQFI4T5SCEA/"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T02:09:39.543Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/python/typed_ast/commit/156afcb26c198e162504a57caddfe0acd9ed7dce"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/python/cpython/commit/dcfcd146f8e6fc5c2fc16a4c192a0c5f5ca8c53c"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/python/cpython/commit/a4d78362397fc3bced6ea80fbc7b5f4827aec55e"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/python/typed_ast/commit/dc317ac9cff859aa84eeabe03fb5004982545b3b"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://bugs.python.org/issue36495"}, {"name": "FEDORA-2020-9b3dabc21c", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LG5H4Q6LFVRX7SFXLBEJMNQFI4T5SCEA/"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2019-19274", "datePublished": "2019-11-26T14:08:25", "dateReserved": "2019-11-26T00:00:00", "dateUpdated": "2024-08-05T02:09:39.543Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:python:typed_ast:1.3.0:*:*:*:*:*:*:*", "matchCriteriaId": "A89928A4-7430-4874-BE50-9870FB8388D6", "vulnerable": true}, {"criteria": "cpe:2.3:a:python:typed_ast:1.3.1:*:*:*:*:*:*:*", "matchCriteriaId": "31501157-938B-4795-AF8E-C23C5BC1AD2D", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "typed_ast 1.3.0 and 1.3.1 has a handle_keywordonly_args out-of-bounds read. An attacker with the ability to cause a Python interpreter to parse Python source (but not necessarily execute it) may be able to crash the interpreter process. This could be a concern, for example, in a web-based service that parses (but does not execute) Python code. (This issue also affected certain Python 3.8.0-alpha prereleases.)"}, {"lang": "es", "value": "typed_ast versiones 1.3.0 y 1.3.1, presenta una lectura fuera de l\u00edmites de la funci\u00f3n handle_keywordonly_args. Un atacante con la capacidad de causar que un int\u00e9rprete de Python analice el origen de Python (pero no necesariamente lo ejecute) puede bloquear el proceso del int\u00e9rprete. Esto podr\u00eda ser una preocupaci\u00f3n, por ejemplo, en un servicio basado en la web que analiza (pero no ejecuta) el c\u00f3digo Python. (Este problema tambi\u00e9n afect\u00f3 a determinadas versiones previas de Python 3.8.0-alpha)."}], "id": "CVE-2019-19274", "lastModified": "2023-11-07T03:07:37.060", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-11-26T15:15:12.770", "references": [{"source": "cve@mitre.org", "tags": ["Patch", "Vendor Advisory"], "url": "https://bugs.python.org/issue36495"}, {"source": "cve@mitre.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/python/cpython/commit/a4d78362397fc3bced6ea80fbc7b5f4827aec55e"}, {"source": "cve@mitre.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/python/cpython/commit/dcfcd146f8e6fc5c2fc16a4c192a0c5f5ca8c53c"}, {"source": "cve@mitre.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/python/typed_ast/commit/156afcb26c198e162504a57caddfe0acd9ed7dce"}, {"source": "cve@mitre.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/python/typed_ast/commit/dc317ac9cff859aa84eeabe03fb5004982545b3b"}, {"source": "cve@mitre.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LG5H4Q6LFVRX7SFXLBEJMNQFI4T5SCEA/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-125"}], "source": "nvd@nist.gov", "type": "Primary"}]}