CVE-2020-15523 — Uncontrolled Search Path Element in Python

CWE-427 — Uncontrolled Search Path Element CWE-908 — Use of Uninitialized Resource4 documents4 sources

Severity

7.8HIGHNVD

EPSS

0.1%

top 69.96%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Python Debian Python2.7

Timeline

PublishedJul 4

Latest updateDec 14

Description

In Python 3.6 through 3.6.10, 3.7 through 3.7.8, 3.8 through 3.8.4rc1, and 3.9 through 3.9.0b4 on Windows, a Trojan horse python3.dll might be used in cases where CPython is embedded in a native application. This occurs because python3X.dll may use an invalid search path for python3.dll loading (after Py_SetPath has been used). NOTE: this issue CANNOT occur when using python.exe from a standard (non-embedded) Python installation on Windows.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages2 packages

▶NVDpython/python3.5.0 — 3.5.10+5

▶debiandebian/python2.7

Patches

Patch: bugs.python.org ↗Patch: github.com ↗Patch: security.netapp.com ↗

🔴Vulnerability Details

GHSA

GHSA-mj5j-j2qm-c8g4: In Python 3↗2022-05-24

▶

📋Vendor Advisories

CISA ICS

Siemens SIMATIC S7-1500 CPU 1518(F)-4 PN/DP MFP V3.1↗2023-12-14

▶

Debian

CVE-2020-15523: python2.7 - In Python 3.6 through 3.6.10, 3.7 through 3.7.8, 3.8 through 3.8.4rc1, and 3.9 t...↗2020

▶