CVE-2024-3219Missing Authentication for Critical Function in Software Foundation Cpython

CWE-306Missing Authentication for Critical Function5 documents5 sources
Severity
5.1MEDIUMNVD
EPSS
0.1%
top 80.84%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Python Software Foundation Cpython
Timeline
PublishedJul 29
Latest updateJul 30

Description

The “socket” module provides a pure-Python fallback to the socket.socketpair() function for platforms that don’t support AF_UNIX, such as Windows. This pure-Python implementation uses AF_INET or AF_INET6 to create a local connected pair of sockets. The connection between the two sockets was not verified before passing the two sockets back to the user, which leaves the server socket vulnerable to a connection race from a malicious local peer. Platforms that support AF_UNIX such as Linux and macO

CVSS vector

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Affected Packages1 packages

CVEListV5python_software_foundation/cpython3.9.03.9.20+5

🔴Vulnerability Details

3
GHSA
GHSA-r8h6-cwxj-rv5j: There is a MEDIUM severity vulnerability affecting CPython2024-07-30
OSV
CVE-2024-3219: There is a MEDIUM severity vulnerability affecting CPython2024-07-29
CVEList
Pure-Python fallback of socket.socketpair() doesn’t authenticate peer connection2024-07-29

📋Vendor Advisories

1
Debian
CVE-2024-3219: python2.7 - The “socket” module provides a pure-Python fallback to the socket.socketpair()...2024
CVE-2024-3219 — MEDIUM severity | cvebase