Skip to content

Commit

Permalink
Import CVE-2022-48565, CVE-2022-48566, CVE-2023-38898
Browse files Browse the repository at this point in the history
  • Loading branch information
@sethmlarson
sethmlarson committed Aug 24, 2023
1 parent b67dca6 commit 07f4d1c
Show file tree
Hide file tree
Showing 4 changed files with 231 additions and 0 deletions.
87 changes: 87 additions & 0 deletions advisories/python/PSF-0000-CVE-2022-48565.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,87 @@
{
"modified": "2023-08-24T00:00:00Z",
"published": "2023-08-24T00:00:00Z",
"schema_version": "1.5.0",
"id": "PSF-0000-CVE-2022-48565",
"aliases": [
"CVE-2022-48566",
"GHSA-crhm-wc96-7579"
],
"summary": "XML External Entity issue in plistlib module",
"details": "An XML External Entity (XXE) issue was discovered in Python through 3.9.1. The plistlib module no longer accepts entity declarations in XML plist files to avoid XML vulnerabilities.",
"affected": [
{
"ranges": [
{
"type": "GIT",
"events": [
{
"introduced": "0"
},
{
"fixed": "05ee790f4d1cd8725a90b54268fc1dfe5b4d1fa2"
},
{
"fixed": "479553c7c11306a09ce34edb6ef208133b7b95fe"
},
{
"fixed": "65894cac0835cb8f469f649e20aa1be8bf89f5ae"
},
{
"fixed": "e512bc799e3864fe3b1351757261762d63471efc"
},
{
"fixed": "a158fb9c5138db94adf24fbc5690467cda811163"
}
],
"repo": "https://github.com/python/cpython"
},
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "0"
},
{
"fixed": "3.6.15"
},
{
"introduced": "3.7.0"
},
{
"fixed": "3.7.17"
},
{
"introduced": "3.8.0"
},
{
"fixed": "3.8.7"
},
{
"introduced": "3.9.0"
},
{
"fixed": "3.9.1"
},
{
"introduced": "3.10.0a1"
},
{
"fixed": "3.10.0a2"
}
]
}
]
}
],
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48565"
},
{
"type": "WEB",
"url": "https://bugs.python.org/issue42051"
}
]
}
87 changes: 87 additions & 0 deletions advisories/python/PSF-0000-CVE-2022-48566.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,87 @@
{
"modified": "2023-08-24T00:00:00Z",
"published": "2023-08-24T00:00:00Z",
"schema_version": "1.5.0",
"id": "PSF-0000-CVE-2022-48566",
"aliases": [
"CVE-2022-48566",
"GHSA-cgfh-jp5w-8cmx"
],
"summary": "hmac.compare_digest() accumulator not constant-time",
"details": "An issue was discovered in compare_digest in Lib/hmac.py in Python through 3.9.1. Constant-time-defeating optimisations were possible in the accumulator variable in hmac.compare_digest.",
"affected": [
{
"ranges": [
{
"type": "GIT",
"events": [
{
"introduced": "0"
},
{
"fixed": "31729366e2bc09632e78f3896dbce0ae64914f28"
},
{
"fixed": "c1bbca5b004b3f74d240ef8a76ff445cc1a27efb"
},
{
"fixed": "97136d71a78a4b6b816f7e14acc52be426efcb6f"
},
{
"fixed": "db95802bdfac4d13db3e2a391ec7b9e2f8d92dbe"
},
{
"fixed": "8bef9ebb1b88cfa4b2a38b93fe4ea22015d8254a"
}
],
"repo": "https://github.com/python/cpython"
},
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "0"
},
{
"fixed": "3.6.13"
},
{
"introduced": "3.7.0"
},
{
"fixed": "3.7.10"
},
{
"introduced": "3.8.0"
},
{
"fixed": "3.8.7"
},
{
"introduced": "3.9.0"
},
{
"fixed": "3.9.1"
},
{
"introduced": "3.10.0a1"
},
{
"fixed": "3.10.0a3"
}
]
}
]
}
],
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-48566"
},
{
"type": "WEB",
"url": "https://bugs.python.org/issue40791"
}
]
}
54 changes: 54 additions & 0 deletions advisories/python/PSF-0000-CVE-2023-38898.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,54 @@
{
"modified": "2023-08-24T00:00:00Z",
"published": "2023-08-24T00:00:00Z",
"schema_version": "1.5.0",
"id": "PSF-0000-CVE-2022-48565",
"aliases": [
"CVE-2022-48566",
"GHSA-cgfh-jp5w-8cmx"
],
"summary": "Reference count issue in _asyncio._swap_current_task()",
"details": "An issue in Python CPython 3.12.0b1 allows an attacker to obtain sensitive information via the _asyncio._swap_current_task() component.",
"affected": [
{
"ranges": [
{
"type": "GIT",
"events": [
{
"introduced": "a474e04388c2ef6aca75c26cb70a1b6200235feb"
},
{
"fixed": "d2cbb6e918d9ea39f0dd44acb53270f2dac07454"
},
{
"fixed": "9e6f8d46150c1a0af09d68ce63c603cf321994aa"
}
],
"repo": "https://github.com/python/cpython"
},
{
"type": "ECOSYSTEM",
"events": [
{
"introduced": "3.12.0b1"
},
{
"fixed": "3.12.0rc2"
}
]
}
]
}
],
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-38898"
},
{
"type": "WEB",
"url": "https://github.com/python/cpython/issues/105987"
}
]
}
3 changes: 3 additions & 0 deletions tools/import-historical-advisories.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,9 @@
# Manually submitted CVE IDs
"CVE-2023-33595",
"CVE-2023-36632",
"CVE-2022-488565",
"CVE-2022-488566",
"CVE-2023-38898",
# List of CVE IDs was taken from https://github.com/vstinner/python-security
"CVE-2007-4965",
"CVE-2008-1679",
Expand Down

0 comments on commit 07f4d1c

Please sign in to comment.