OpenCVE

typed_ast 1.3.0 and 1.3.1 has an ast_for_arguments out-of-bounds read. An attacker with the ability to cause a Python interpreter to parse Python source (but not necessarily execute it) may be able to crash the interpreter process. This could be a concern, for example, in a web-based service that parses (but does not execute) Python code. (This issue also affected certain Python 3.8.0-alpha prereleases.)

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

AV:N/AC:L/Au:N/C:N/I:N/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Python	Typed Ast

Configuration 1 [-]

OR	cpe:2.3:a:python:typed_ast:1.3.0:::::::*
	cpe:2.3:a:python:typed_ast:1.3.1:::::::*

No data.

References

Link	Providers
https://bugs.python.org/issue36495
https://github.com/python/cpython/commit/a4d78362397fc3bced6ea80fbc7b5f4827aec55e
https://github.com/python/cpython/commit/dcfcd146f8e6fc5c2fc16a4c192a0c5f5ca8c53c
https://github.com/python/typed_ast/commit/156afcb26c198e162504a57caddfe0acd9ed7dce
https://github.com/python/typed_ast/commit/dc317ac9cff859aa84eeabe03fb5004982545b3b
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LG5H4Q6LFVRX7SFXLBEJMNQFI4T5SCEA/

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2019-11-26T14:08:17

Updated: 2024-08-05T02:09:39.625Z

Reserved: 2019-11-26T00:00:00

Link: CVE-2019-19275

Vulnrichment

No data.

NVD

Status : Modified

Published: 2019-11-26T15:15:12.847

Modified: 2024-11-21T04:34:28.707

Link: CVE-2019-19275

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "typed_ast 1.3.0 and 1.3.1 has an ast_for_arguments out-of-bounds read. An attacker with the ability to cause a Python interpreter to parse Python source (but not necessarily execute it) may be able to crash the interpreter process. This could be a concern, for example, in a web-based service that parses (but does not execute) Python code. (This issue also affected certain Python 3.8.0-alpha prereleases.)"}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2020-03-14T01:06:02", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://github.com/python/typed_ast/commit/156afcb26c198e162504a57caddfe0acd9ed7dce"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/python/cpython/commit/dcfcd146f8e6fc5c2fc16a4c192a0c5f5ca8c53c"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/python/cpython/commit/a4d78362397fc3bced6ea80fbc7b5f4827aec55e"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/python/typed_ast/commit/dc317ac9cff859aa84eeabe03fb5004982545b3b"}, {"tags": ["x_refsource_MISC"], "url": "https://bugs.python.org/issue36495"}, {"name": "FEDORA-2020-9b3dabc21c", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LG5H4Q6LFVRX7SFXLBEJMNQFI4T5SCEA/"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2019-19275", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "typed_ast 1.3.0 and 1.3.1 has an ast_for_arguments out-of-bounds read. An attacker with the ability to cause a Python interpreter to parse Python source (but not necessarily execute it) may be able to crash the interpreter process. This could be a concern, for example, in a web-based service that parses (but does not execute) Python code. (This issue also affected certain Python 3.8.0-alpha prereleases.)"}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://github.com/python/typed_ast/commit/156afcb26c198e162504a57caddfe0acd9ed7dce", "refsource": "MISC", "url": "https://github.com/python/typed_ast/commit/156afcb26c198e162504a57caddfe0acd9ed7dce"}, {"name": "https://github.com/python/cpython/commit/dcfcd146f8e6fc5c2fc16a4c192a0c5f5ca8c53c", "refsource": "MISC", "url": "https://github.com/python/cpython/commit/dcfcd146f8e6fc5c2fc16a4c192a0c5f5ca8c53c"}, {"name": "https://github.com/python/cpython/commit/a4d78362397fc3bced6ea80fbc7b5f4827aec55e", "refsource": "MISC", "url": "https://github.com/python/cpython/commit/a4d78362397fc3bced6ea80fbc7b5f4827aec55e"}, {"name": "https://github.com/python/typed_ast/commit/dc317ac9cff859aa84eeabe03fb5004982545b3b", "refsource": "MISC", "url": "https://github.com/python/typed_ast/commit/dc317ac9cff859aa84eeabe03fb5004982545b3b"}, {"name": "https://bugs.python.org/issue36495", "refsource": "MISC", "url": "https://bugs.python.org/issue36495"}, {"name": "FEDORA-2020-9b3dabc21c", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LG5H4Q6LFVRX7SFXLBEJMNQFI4T5SCEA/"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T02:09:39.625Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/python/typed_ast/commit/156afcb26c198e162504a57caddfe0acd9ed7dce"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/python/cpython/commit/dcfcd146f8e6fc5c2fc16a4c192a0c5f5ca8c53c"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/python/cpython/commit/a4d78362397fc3bced6ea80fbc7b5f4827aec55e"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/python/typed_ast/commit/dc317ac9cff859aa84eeabe03fb5004982545b3b"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://bugs.python.org/issue36495"}, {"name": "FEDORA-2020-9b3dabc21c", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LG5H4Q6LFVRX7SFXLBEJMNQFI4T5SCEA/"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2019-19275", "datePublished": "2019-11-26T14:08:17", "dateReserved": "2019-11-26T00:00:00", "dateUpdated": "2024-08-05T02:09:39.625Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:python:typed_ast:1.3.0:*:*:*:*:*:*:*", "matchCriteriaId": "A89928A4-7430-4874-BE50-9870FB8388D6", "vulnerable": true}, {"criteria": "cpe:2.3:a:python:typed_ast:1.3.1:*:*:*:*:*:*:*", "matchCriteriaId": "31501157-938B-4795-AF8E-C23C5BC1AD2D", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "typed_ast 1.3.0 and 1.3.1 has an ast_for_arguments out-of-bounds read. An attacker with the ability to cause a Python interpreter to parse Python source (but not necessarily execute it) may be able to crash the interpreter process. This could be a concern, for example, in a web-based service that parses (but does not execute) Python code. (This issue also affected certain Python 3.8.0-alpha prereleases.)"}, {"lang": "es", "value": "typed_ast versiones 1.3.0 y 1.3.1, presenta una lectura fuera de l\u00edmites de la funci\u00f3n ast_for_arguments. Un atacante con la capacidad de causar que un int\u00e9rprete de Python analice el origen de Python (pero no necesariamente lo ejecute) puede bloquear el proceso del int\u00e9rprete. Esto podr\u00eda ser una preocupaci\u00f3n, por ejemplo, en un servicio basado en la web que analiza (pero no ejecuta) el c\u00f3digo Python. (Este problema tambi\u00e9n afect\u00f3 a determinadas versiones previas de Python 3.8.0-alpha)."}], "id": "CVE-2019-19275", "lastModified": "2024-11-21T04:34:28.707", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-11-26T15:15:12.847", "references": [{"source": "cve@mitre.org", "tags": ["Patch", "Vendor Advisory"], "url": "https://bugs.python.org/issue36495"}, {"source": "cve@mitre.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/python/cpython/commit/a4d78362397fc3bced6ea80fbc7b5f4827aec55e"}, {"source": "cve@mitre.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/python/cpython/commit/dcfcd146f8e6fc5c2fc16a4c192a0c5f5ca8c53c"}, {"source": "cve@mitre.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/python/typed_ast/commit/156afcb26c198e162504a57caddfe0acd9ed7dce"}, {"source": "cve@mitre.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/python/typed_ast/commit/dc317ac9cff859aa84eeabe03fb5004982545b3b"}, {"source": "cve@mitre.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LG5H4Q6LFVRX7SFXLBEJMNQFI4T5SCEA/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Vendor Advisory"], "url": "https://bugs.python.org/issue36495"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/python/cpython/commit/a4d78362397fc3bced6ea80fbc7b5f4827aec55e"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/python/cpython/commit/dcfcd146f8e6fc5c2fc16a4c192a0c5f5ca8c53c"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/python/typed_ast/commit/156afcb26c198e162504a57caddfe0acd9ed7dce"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/python/typed_ast/commit/dc317ac9cff859aa84eeabe03fb5004982545b3b"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LG5H4Q6LFVRX7SFXLBEJMNQFI4T5SCEA/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-125"}], "source": "nvd@nist.gov", "type": "Primary"}]}