2233280 – (CVE-2023-38898) CVE-2023-38898 python: sensitive information can be obtained via the _asyncio._swap_current_task component.

Bug 2233280 (CVE-2023-38898) - CVE-2023-38898 python: sensitive information can be obtained via the _asyncio._swap_current_task component.

Summary: CVE-2023-38898 python: sensitive information can be obtained via the _asyncio...

Keywords:
Status:	NEW
Alias:	CVE-2023-38898
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2233284 2233285 2233286 2233287 2233288 2233289 2234375
Blocks:	2233279
TreeView+	depends on / blocked

Reported:	2023-08-21 19:51 UTC by Zack Miele
Modified:	2024-03-20 10:33 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:	A vulnerability was found in Python. This flaw allows an attacker to acquire sensitive information through the _asyncio._swap_current_task component.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description Zack Miele 2023-08-21 19:51:25 UTC

An issue in Python cpython v.3.7 allows an attacker to obtain sensitive information via the _asyncio._swap_current_task component.

https://github.com/python/cpython/issues/105987

Comment 2 Petr Viktorin (pviktori) 2023-08-22 06:01:37 UTC

If you can call an arbirtary function, there are many ways to get sensitive information.

Is there any relevant situation where an attacker can call _asyncio._swap_current_task specifically, but not an arbitrary function?

Comment 3 Sandipan Roy 2023-08-24 08:35:09 UTC

Created python3.12 tracking bugs for this issue:

Affects: fedora-all [bug 2234375]

Comment 4 Charalampos Stratakis 2023-08-25 10:03:16 UTC

(In reply to Petr Viktorin from comment #2)
> If you can call an arbirtary function, there are many ways to get sensitive
> information.
> 
> Is there any relevant situation where an attacker can call
> _asyncio._swap_current_task specifically, but not an arbitrary function?

The needinfo on this question was removed without an answer or justification. Reinstating that.

Comment 5 Zack Miele 2023-08-25 12:59:03 UTC

In reply to comment #4:
> (In reply to Petr Viktorin from comment #2)
> > If you can call an arbirtary function, there are many ways to get sensitive
> > information.
> > 
> > Is there any relevant situation where an attacker can call
> > _asyncio._swap_current_task specifically, but not an arbitrary function?
> 
> The needinfo on this question was removed without an answer or
> justification. Reinstating that.

Meant to redirect this needinfo request to the main analyst for this task, sorry about that.

Comment 6 Sandipan Roy 2023-08-28 03:34:59 UTC

This CVE is not assigned by RED HAT, as well our shipped product was not affected by this CVE.

Note You need to log in before you can comment on or make changes to this bug.