CVE-2023-38898 - OpenCVE

An issue in Python cpython v.3.7 allows an attacker to obtain sensitive information via the _asyncio._swap_current_task component. NOTE: this is disputed by the vendor because (1) neither 3.7 nor any other release is affected (it is a bug in some 3.12 pre-releases); (2) there are no common scenarios in which an adversary can call _asyncio._swap_current_task but does not already have the ability to call arbitrary functions; and (3) there are no common scenarios in which sensitive information, which is not already accessible to an adversary, becomes accessible through this bug.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Python	Python

Configuration 1 [-]

cpe:2.3:a:python:python:3.13.0:alpha0:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/python/cpython/issues/105987
https://nvd.nist.gov/vuln/detail/CVE-2023-38898
https://www.cve.org/CVERecord?id=CVE-2023-38898

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2023-08-15T00:00:00

Updated: 2024-08-02T17:54:39.611Z

Reserved: 2023-07-25T00:00:00

Link: CVE-2023-38898

Vulnrichment

No data.

NVD

Status : Modified

Published: 2023-08-15T17:15:12.187

Modified: 2024-08-02T18:15:57.347

Link: CVE-2023-38898

Redhat

Severity : Moderate

Publid Date: 2023-08-15T00:00:00Z

Links: CVE-2023-38898 - Bugzilla

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:python:python:3.13.0:alpha0:*:*:*:*:*:*", "matchCriteriaId": "3BA51E41-D221-431F-870F-536AF2867B50", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [{"sourceIdentifier": "cve@mitre.org", "tags": ["disputed"]}], "descriptions": [{"lang": "en", "value": "An issue in Python cpython v.3.7 allows an attacker to obtain sensitive information via the _asyncio._swap_current_task component. NOTE: this is disputed by the vendor because (1) neither 3.7 nor any other release is affected (it is a bug in some 3.12 pre-releases); (2) there are no common scenarios in which an adversary can call _asyncio._swap_current_task but does not already have the ability to call arbitrary functions; and (3) there are no common scenarios in which sensitive information, which is not already accessible to an adversary, becomes accessible through this bug."}, {"lang": "es", "value": "Un problema en Python cpython v.3.7 permite a un atacante obtener informaci\u00f3n sensible a trav\u00e9s del componente _asyncio._swap_current_task. NOTA: esto es discutido por el vendedor porque (1) ni la versi\u00f3n 3.7 ni ninguna otra est\u00e1 afectada (es un fallo en algunas versiones previas a la 3.12); (2) no hay escenarios comunes en los que un adversario pueda llamar a _asyncio._swap_current_task pero no tenga ya la capacidad de llamar a funciones arbitrarias; y (3) no hay escenarios comunes en los que informaci\u00f3n sensible, que no est\u00e9 ya accesible para un adversario, se vuelva accesible a trav\u00e9s de este fallo."}], "id": "CVE-2023-38898", "lastModified": "2024-08-02T18:15:57.347", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-08-15T17:15:12.187", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Issue Tracking", "Patch"], "url": "https://github.com/python/cpython/issues/105987"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "python: sensitive information can be obtained via the _asyncio._swap_current_task component.", "id": "2233280", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2233280"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "status": "draft"}, "cwe": "CWE-200", "details": ["An issue in Python cpython v.3.7 allows an attacker to obtain sensitive information via the _asyncio._swap_current_task component. NOTE: this is disputed by the vendor because (1) neither 3.7 nor any other release is affected (it is a bug in some 3.12 pre-releases); (2) there are no common scenarios in which an adversary can call _asyncio._swap_current_task but does not already have the ability to call arbitrary functions; and (3) there are no common scenarios in which sensitive information, which is not already accessible to an adversary, becomes accessible through this bug.", "A vulnerability was found in Python. This flaw allows an attacker to acquire sensitive information through the _asyncio._swap_current_task component."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2023-38898", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "python", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "python", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "python3", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "gimp:flatpak/python2", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "inkscape:flatpak/python2", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "python27:2.7/python2", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "python3", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "python3.11", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "python36:3.6/python36", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "python39", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "python39:3.9/python39", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "python3.11", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "python3.9", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:rhel_software_collections:3", "fix_state": "Not affected", "package_name": "rh-python38-python", "product_name": "Red Hat Software Collections"}], "public_date": "2023-08-15T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2023-38898\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-38898"], "statement": "The vulnerability was introduces in Python 3.12. None of our products shipped the affected version, so our products are not affected by this security issue.\nVersions of python36:3.6/python36 as shipped with Red Hat Enterprise Linux 8 are marked as 'Not affected' as they just provide \"symlinks\" to the main python3 component, which provides the actual interpreter of the Python programming language.", "threat_severity": "Moderate"}