Bug 2233280 (CVE-2023-38898)
Summary: | CVE-2023-38898 python: sensitive information can be obtained via the _asyncio._swap_current_task component. | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Zack Miele <zmiele> |
Component: | vulnerability | Assignee: | Product Security <prodsec-ir-bot> |
Status: | NEW --- | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | cstratak, hhorak, jorton, python-maint, saroy |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: |
A vulnerability was found in Python. This flaw allows an attacker to acquire sensitive information through the _asyncio._swap_current_task component.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | Type: | --- | |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 2233284, 2233285, 2233286, 2233287, 2233288, 2233289, 2234375 | ||
Bug Blocks: | 2233279 |
Description
Zack Miele
2023-08-21 19:51:25 UTC
If you can call an arbirtary function, there are many ways to get sensitive information. Is there any relevant situation where an attacker can call _asyncio._swap_current_task specifically, but not an arbitrary function? Created python3.12 tracking bugs for this issue: Affects: fedora-all [bug 2234375] (In reply to Petr Viktorin from comment #2) > If you can call an arbirtary function, there are many ways to get sensitive > information. > > Is there any relevant situation where an attacker can call > _asyncio._swap_current_task specifically, but not an arbitrary function? The needinfo on this question was removed without an answer or justification. Reinstating that. In reply to comment #4: > (In reply to Petr Viktorin from comment #2) > > If you can call an arbirtary function, there are many ways to get sensitive > > information. > > > > Is there any relevant situation where an attacker can call > > _asyncio._swap_current_task specifically, but not an arbitrary function? > > The needinfo on this question was removed without an answer or > justification. Reinstating that. Meant to redirect this needinfo request to the main analyst for this task, sorry about that. This CVE is not assigned by RED HAT, as well our shipped product was not affected by this CVE. |