CVE-2022-48566Race Condition in Python

CWE-362Race Condition10 documents6 sources
Severity
5.9MEDIUMNVD
OSV7.6OSV7.5
EPSS
0.1%
top 73.07%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
5
PythonDebian Pypy3Debian Python2.7+2 more
Timeline
PublishedAug 22
Latest updateJan 6

Description

An issue was discovered in compare_digest in Lib/hmac.py in Python through 3.9.1. Constant-time-defeating optimisations were possible in the accumulator variable in hmac.compare_digest.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 2.2 | Impact: 3.6

Affected Packages4 packages

NVDpython/python3.7.03.7.10+3
debiandebian/python2.7< pypy3 7.3.5+dfsg-2 (bookworm)
debiandebian/python3.9< pypy3 7.3.5+dfsg-2 (bookworm)
debiandebian/pypy3< pypy3 7.3.5+dfsg-2 (bookworm)

Also affects: Debian Linux 10.0

Patches

Patch: bugs.python.orgPatch: bugs.python.org

🔴Vulnerability Details

4
OSV
python2.7 vulnerabilities2025-01-06
OSV
python3.5, python3.6, python3.7, python3.8, python3.9, python3.10, python3.11, python3.12 vulnerabilities2024-07-11
GHSA
GHSA-cgfh-jp5w-8cmx: An issue was discovered in compare_digest in Lib/hmac2023-08-22
OSV
CVE-2022-48566: An issue was discovered in compare_digest in Lib/hmac2023-08-22

📋Vendor Advisories

5
Ubuntu
Python vulnerabilities2025-01-06
Ubuntu
Python vulnerabilities2024-07-11
Ubuntu
Python vulnerability2023-09-27
Red Hat
python: constant-time-defeating optimisations issue in the compare_digest function in Lib/hmac.p2023-08-22
Debian
CVE-2022-48566: pypy3 - An issue was discovered in compare_digest in Lib/hmac.py in Python through 3.9.1...2022