CVE-2023-38898 - OpenCVE

An issue in Python cpython v.3.7 allows an attacker to obtain sensitive information via the _asyncio._swap_current_task component. NOTE: this is disputed by the vendor because (1) neither 3.7 nor any other release is affected (it is a bug in some 3.12 pre-releases); (2) there are no common scenarios in which an adversary can call _asyncio._swap_current_task but does not already have the ability to call arbitrary functions; and (3) there are no common scenarios in which sensitive information, which is not already accessible to an adversary, becomes accessible through this bug.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Python	Python

Configuration 1 [-]

cpe:2.3:a:python:python:3.13.0:alpha0:*:*:*:*:*:*

References

Link	Resource
https://github.com/python/cpython/issues/105987	Exploit Issue Tracking Patch

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2023-08-15T00:00:00

Updated: 2023-08-25T00:36:15.188431

Reserved: 2023-07-25T00:00:00

Link: CVE-2023-38898

JSON object: View

NVD Information

Status : Modified

Published: 2023-08-15T17:15:12.187

Modified: 2024-05-17T02:26:45.080

Link: CVE-2023-38898

JSON object: View

Redhat Information

No data.

CWE

NVD-CWE-Other

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:python:python:3.13.0:alpha0:*:*:*:*:*:*", "matchCriteriaId": "3BA51E41-D221-431F-870F-536AF2867B50", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "An issue in Python cpython v.3.7 allows an attacker to obtain sensitive information via the _asyncio._swap_current_task component. NOTE: this is disputed by the vendor because (1) neither 3.7 nor any other release is affected (it is a bug in some 3.12 pre-releases); (2) there are no common scenarios in which an adversary can call _asyncio._swap_current_task but does not already have the ability to call arbitrary functions; and (3) there are no common scenarios in which sensitive information, which is not already accessible to an adversary, becomes accessible through this bug."}, {"lang": "es", "value": "Un problema en Python cpython v.3.7 permite a un atacante obtener informaci\u00f3n sensible a trav\u00e9s del componente _asyncio._swap_current_task. NOTA: esto es discutido por el vendedor porque (1) ni la versi\u00f3n 3.7 ni ninguna otra est\u00e1 afectada (es un fallo en algunas versiones previas a la 3.12); (2) no hay escenarios comunes en los que un adversario pueda llamar a _asyncio._swap_current_task pero no tenga ya la capacidad de llamar a funciones arbitrarias; y (3) no hay escenarios comunes en los que informaci\u00f3n sensible, que no est\u00e9 ya accesible para un adversario, se vuelva accesible a trav\u00e9s de este fallo."}], "id": "CVE-2023-38898", "lastModified": "2024-05-17T02:26:45.080", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-08-15T17:15:12.187", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Issue Tracking", "Patch"], "url": "https://github.com/python/cpython/issues/105987"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}]}