Bug 2233280 (CVE-2023-38898) - CVE-2023-38898 python: sensitive information can be obtained via the _asyncio._swap_current_task component.
Summary: CVE-2023-38898 python: sensitive information can be obtained via the _asyncio...
Keywords:
Status: NEW
Alias: CVE-2023-38898
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2233284 2233285 2233286 2233287 2233288 2233289 2234375
Blocks: 2233279
TreeView+ depends on / blocked
 
Reported: 2023-08-21 19:51 UTC by Zack Miele
Modified: 2024-01-01 01:09 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in Python. This flaw allows an attacker to acquire sensitive information through the _asyncio._swap_current_task component.
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)

Description Zack Miele 2023-08-21 19:51:25 UTC
An issue in Python cpython v.3.7 allows an attacker to obtain sensitive information via the _asyncio._swap_current_task component.

https://github.com/python/cpython/issues/105987

Comment 2 Petr Viktorin (pviktori) 2023-08-22 06:01:37 UTC
If you can call an arbirtary function, there are many ways to get sensitive information.

Is there any relevant situation where an attacker can call _asyncio._swap_current_task specifically, but not an arbitrary function?

Comment 3 Sandipan Roy 2023-08-24 08:35:09 UTC
Created python3.12 tracking bugs for this issue:

Affects: fedora-all [bug 2234375]

Comment 4 Charalampos Stratakis 2023-08-25 10:03:16 UTC
(In reply to Petr Viktorin from comment #2)
> If you can call an arbirtary function, there are many ways to get sensitive
> information.
> 
> Is there any relevant situation where an attacker can call
> _asyncio._swap_current_task specifically, but not an arbitrary function?

The needinfo on this question was removed without an answer or justification. Reinstating that.

Comment 5 Zack Miele 2023-08-25 12:59:03 UTC
In reply to comment #4:
> (In reply to Petr Viktorin from comment #2)
> > If you can call an arbirtary function, there are many ways to get sensitive
> > information.
> > 
> > Is there any relevant situation where an attacker can call
> > _asyncio._swap_current_task specifically, but not an arbitrary function?
> 
> The needinfo on this question was removed without an answer or
> justification. Reinstating that.

Meant to redirect this needinfo request to the main analyst for this task, sorry about that.

Comment 6 Sandipan Roy 2023-08-28 03:34:59 UTC
This CVE is not assigned by RED HAT, as well our shipped product was not affected by this CVE.


Note You need to log in before you can comment on or make changes to this bug.