CVE-2023-38898Sensitive Information Exposure in Python

CWE-200Sensitive Information Exposure4 documents4 sources
Severity
5.3MEDIUMNVD
EPSS
0.4%
top 40.38%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
PythonDebian Python2.7Debian Python3.11+1 more
Timeline
PublishedAug 15

Description

An issue in Python cpython v.3.7 allows an attacker to obtain sensitive information via the _asyncio._swap_current_task component. NOTE: this is disputed by the vendor because (1) neither 3.7 nor any other release is affected (it is a bug in some 3.12 pre-releases); (2) there are no common scenarios in which an adversary can call _asyncio._swap_current_task but does not already have the ability to call arbitrary functions; and (3) there are no common scenarios in which sensitive information, whi

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages4 packages

NVDpython/python3.13.0

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

1
GHSA
GHSA-73qf-r7xg-3ghc: An issue in Python cpython v2023-08-15

📋Vendor Advisories

2
Red Hat
python: sensitive information can be obtained via the _asyncio._swap_current_task component.2023-08-15
Debian
CVE-2023-38898: python2.7 - An issue in Python cpython v.3.7 allows an attacker to obtain sensitive informat...2023