{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-9979", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "state": "PUBLISHED", "assignerShortName": "redhat", "dateReserved": "2024-10-15T06:47:28.744Z", "datePublished": "2024-10-15T14:01:54.309Z", "dateUpdated": "2024-11-12T17:52:38.297Z"}, "containers": {"cna": {"title": "Pyo3: risk of use-after-free in `borrowed` reads from python weak references", "metrics": [{"other": {"content": {"value": "Moderate", "namespace": "https://access.redhat.com/security/updates/classification/"}, "type": "Red Hat severity rating"}}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "format": "CVSS"}], "descriptions": [{"lang": "en", "value": "A flaw was found in PyO3. This vulnerability causes a use-after-free issue, potentially leading to memory corruption or crashes via unsound borrowing from weak Python references."}], "affected": [{"versions": [{"status": "affected", "version": "0.22.0", "lessThan": "0.22.4", "versionType": "semver"}], "packageName": "pyo3", "collectionURL": "https://github.com/PyO3/pyo3", "defaultStatus": "unaffected"}, {"vendor": "Red Hat", "product": "Red Hat Ansible Automation Platform 2", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "python3.11-nh3", "defaultStatus": "affected", "cpes": ["cpe:/a:redhat:ansible_automation_platform:2"]}, {"vendor": "Red Hat", "product": "Red Hat Ansible Automation Platform 2", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "python3.11-rpds-py", "defaultStatus": "affected", "cpes": ["cpe:/a:redhat:ansible_automation_platform:2"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "python3.11-cryptography", "defaultStatus": "unaffected", "cpes": ["cpe:/o:redhat:enterprise_linux:8"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "python3.12-cryptography", "defaultStatus": "unaffected", "cpes": ["cpe:/o:redhat:enterprise_linux:8"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 9", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "python3.11-cryptography", "defaultStatus": "unaffected", "cpes": ["cpe:/o:redhat:enterprise_linux:9"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 9", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "python3.12-cryptography", "defaultStatus": "unaffected", "cpes": ["cpe:/o:redhat:enterprise_linux:9"]}], "references": [{"url": "https://access.redhat.com/security/cve/CVE-2024-9979", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2318646", "name": "RHBZ#2318646", "tags": ["issue-tracking", "x_refsource_REDHAT"]}, {"url": "https://crates.io/crates/pyo3"}, {"url": "https://github.com/PyO3/pyo3/pull/4590"}, {"url": "https://rustsec.org/advisories/RUSTSEC-2024-0378.html"}], "datePublic": "2024-10-12T12:00:00+00:00", "problemTypes": [{"descriptions": [{"cweId": "CWE-416", "description": "Use After Free", "lang": "en", "type": "CWE"}]}], "x_redhatCweChain": "CWE-416: Use After Free", "workarounds": [{"lang": "en", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}], "timeline": [{"lang": "en", "time": "2024-10-14T21:01:23.698016+00:00", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2024-10-12T12:00:00+00:00", "value": "Made public."}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2024-11-12T17:52:38.297Z"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-10-15T14:19:04.359472Z", "id": "CVE-2024-9979", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-15T14:19:08.589Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-9979", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-10-15T14:19:04.359472Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-15T14:18:55.265Z"}}], "cna": {"title": "Pyo3: risk of use-after-free in `borrowed` reads from python weak references", "metrics": [{"other": {"type": "Red Hat severity rating", "content": {"value": "Moderate", "namespace": "https://access.redhat.com/security/updates/classification/"}}}, {"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}], "affected": [{"versions": [{"status": "affected", "version": "0.22.0", "lessThan": "0.22.4", "versionType": "semver"}], "packageName": "pyo3", "collectionURL": "https://github.com/PyO3/pyo3", "defaultStatus": "unaffected"}, {"cpes": ["cpe:/a:redhat:ansible_automation_platform:2"], "vendor": "Red Hat", "product": "Red Hat Ansible Automation Platform 2", "packageName": "python3.11-nh3", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:ansible_automation_platform:2"], "vendor": "Red Hat", "product": "Red Hat Ansible Automation Platform 2", "packageName": "python3.11-rpds-py", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/o:redhat:enterprise_linux:8"], "vendor": "Red Hat", "product": "Red Hat Enterprise Linux 8", "packageName": "python3.11-cryptography", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unaffected"}, {"cpes": ["cpe:/o:redhat:enterprise_linux:8"], "vendor": "Red Hat", "product": "Red Hat Enterprise Linux 8", "packageName": "python3.12-cryptography", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unaffected"}, {"cpes": ["cpe:/o:redhat:enterprise_linux:9"], "vendor": "Red Hat", "product": "Red Hat Enterprise Linux 9", "packageName": "python3.11-cryptography", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unaffected"}, {"cpes": ["cpe:/o:redhat:enterprise_linux:9"], "vendor": "Red Hat", "product": "Red Hat Enterprise Linux 9", "packageName": "python3.12-cryptography", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2024-10-14T21:01:23.698016+00:00", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2024-10-12T12:00:00+00:00", "value": "Made public."}], "datePublic": "2024-10-12T12:00:00+00:00", "references": [{"url": "https://access.redhat.com/security/cve/CVE-2024-9979", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2318646", "name": "RHBZ#2318646", "tags": ["issue-tracking", "x_refsource_REDHAT"]}, {"url": "https://crates.io/crates/pyo3"}, {"url": "https://github.com/PyO3/pyo3/pull/4590"}, {"url": "https://rustsec.org/advisories/RUSTSEC-2024-0378.html"}], "workarounds": [{"lang": "en", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}], "descriptions": [{"lang": "en", "value": "A flaw was found in PyO3. This vulnerability causes a use-after-free issue, potentially leading to memory corruption or crashes via unsound borrowing from weak Python references."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-416", "description": "Use After Free"}]}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2024-11-12T17:52:38.297Z"}, "x_redhatCweChain": "CWE-416: Use After Free"}}, "cveMetadata": {"cveId": "CVE-2024-9979", "state": "PUBLISHED", "dateUpdated": "2024-11-12T17:52:38.297Z", "dateReserved": "2024-10-15T06:47:28.744Z", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "datePublished": "2024-10-15T14:01:54.309Z", "assignerShortName": "redhat"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw was found in PyO3. This vulnerability causes a use-after-free issue, potentially leading to memory corruption or crashes via unsound borrowing from weak Python references."}, {"lang": "es", "value": "Se encontr\u00f3 una falla en PyO3. Esta vulnerabilidad provoca un problema de use-after-free, que puede provocar da\u00f1os en la memoria o fallas debido a un pr\u00e9stamo incorrecto de referencias d\u00e9biles de Python."}], "id": "CVE-2024-9979", "lastModified": "2024-10-16T16:38:43.170", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.4, "source": "secalert@redhat.com", "type": "Primary"}]}, "published": "2024-10-15T14:15:05.817", "references": [{"source": "secalert@redhat.com", "url": "https://access.redhat.com/security/cve/CVE-2024-9979"}, {"source": "secalert@redhat.com", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2318646"}, {"source": "secalert@redhat.com", "url": "https://crates.io/crates/pyo3"}, {"source": "secalert@redhat.com", "url": "https://github.com/PyO3/pyo3/pull/4590"}, {"source": "secalert@redhat.com", "url": "https://rustsec.org/advisories/RUSTSEC-2024-0378.html"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-416"}], "source": "secalert@redhat.com", "type": "Secondary"}]}

{"bugzilla": {"description": "pyo3: Risk of use-after-free in `borrowed` reads from Python weak references", "id": "2318646", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2318646"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.3", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "status": "draft"}, "cwe": "CWE-416", "details": ["A flaw was found in PyO3. This vulnerability causes a use-after-free issue, potentially leading to memory corruption or crashes via unsound borrowing from weak Python references.", "A flaw was found in PyO3. This vulnerability causes a use-after-free issue, potentially leading to memory corruption or crashes via unsound borrowing from weak Python references."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2024-9979", "package_state": [{"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Affected", "package_name": "python3.11-nh3", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Affected", "package_name": "python3.11-rpds-py", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "python3.11-cryptography", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "python3.12-cryptography", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "python3.11-cryptography", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "python3.12-cryptography", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2024-10-12T12:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-9979\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-9979\nhttps://crates.io/crates/pyo3\nhttps://github.com/PyO3/pyo3/pull/4590\nhttps://rustsec.org/advisories/RUSTSEC-2024-0378.html"], "threat_severity": "Moderate"}