CVE-2020-8315 — Uncontrolled Search Path Element in Python

CWE-427 — Uncontrolled Search Path Element CWE-20 — Improper Input Validation7 documents7 sources

Severity

5.5MEDIUMNVD

EPSS

0.3%

top 44.68%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Python Debian Python2.7

Timeline

PublishedJan 28

Latest updateDec 14

Description

In Python (CPython) 3.6 through 3.6.10, 3.7 through 3.7.6, and 3.8 through 3.8.1, an insecure dependency load upon launch on Windows 7 may result in an attacker's copy of api-ms-win-core-path-l1-1-0.dll being loaded and used instead of the system's copy. Windows 8 and later are unaffected.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:NExploitability: 1.8 | Impact: 3.6

Affected Packages2 packages

▶NVDpython/python3.6.0 — 3.6.10+2

▶debiandebian/python2.7

Patches

Patch: bugs.python.org ↗Patch: bugs.python.org ↗

🔴Vulnerability Details

GHSA

GHSA-646c-5wg7-pw2g: In Python (CPython) 3↗2022-05-24

▶

OSV

CVE-2020-8315: In Python (CPython) 3↗2020-01-28

▶

📋Vendor Advisories

CISA ICS

Siemens SIMATIC S7-1500 CPU 1518(F)-4 PN/DP MFP V3.1↗2023-12-14

▶

Red Hat

python: unsafe dll loading in getpathp.c on Windows↗2020-01-21

▶

Debian

CVE-2020-8315: python2.7 - In Python (CPython) 3.6 through 3.6.10, 3.7 through 3.7.6, and 3.8 through 3.8.1...↗2020

▶

💬Community

Bugzilla

CVE-2020-8315 python: unsafe dll loading in getpathp.c on Windows↗2020-07-08

▶