CVE-2023-33595
Published: 7 June 2023
CPython v3.12.0 alpha 7 was discovered to contain a heap use-after-free via the function ascii_decode at /Objects/unicodeobject.c.
Notes
Author | Note |
---|---|
alexmurray | This vulnerability was introduced in upstream commit 1ef61cf71a218c71860ff6aecf0fd51edb8b65dc and the fix was also committed upstream in commit d5a97074d24cd14cb2a35a2b1ad3074863cde264 - both of these were part of the 3.12.0b1 release, so no versions of python3.12 in ubuntu were affected (also no other python3.x versions are affected as the original vulnerable commit was only released during the development of python 3.12) |
Priority
Status
Package | Release | Status |
---|---|---|
python Launchpad, Ubuntu, Debian |
bionic |
Ignored
(end of standard support)
|
focal |
Does not exist
|
|
jammy |
Does not exist
|
|
kinetic |
Does not exist
|
|
lunar |
Does not exist
|
|
trusty |
Ignored
(end of standard support)
|
|
upstream |
Not vulnerable
(code not present)
|
|
xenial |
Ignored
(end of standard support)
|
|
Patches: upstream: https://github.com/python/cpython/commit/d5a97074d24cd14cb2a35a2b1ad3074863cde264 |
||
python2.7 Launchpad, Ubuntu, Debian |
bionic |
Not vulnerable
(code not present)
|
focal |
Not vulnerable
(code not present)
|
|
jammy |
Not vulnerable
(code not present)
|
|
kinetic |
Not vulnerable
(code not present)
|
|
lunar |
Does not exist
|
|
trusty |
Not vulnerable
(code not present)
|
|
upstream |
Not vulnerable
(code not present)
|
|
xenial |
Not vulnerable
(code not present)
|
|
python3.10 Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
focal |
Does not exist
|
|
jammy |
Not vulnerable
(code not present)
|
|
kinetic |
Not vulnerable
(code not present)
|
|
lunar |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Not vulnerable
(code not present)
|
|
xenial |
Does not exist
|
|
python3.11 Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
focal |
Does not exist
|
|
jammy |
Not vulnerable
(code not present)
|
|
kinetic |
Not vulnerable
(code not present)
|
|
lunar |
Not vulnerable
(code not present)
|
|
trusty |
Does not exist
|
|
upstream |
Not vulnerable
(code not present)
|
|
xenial |
Does not exist
|
|
python3.12 Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
focal |
Does not exist
|
|
jammy |
Does not exist
|
|
kinetic |
Does not exist
|
|
lunar |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Not vulnerable
(3.12.0~b2-1)
|
|
xenial |
Does not exist
|
|
python3.4 Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
focal |
Does not exist
|
|
jammy |
Does not exist
|
|
kinetic |
Does not exist
|
|
lunar |
Does not exist
|
|
trusty |
Not vulnerable
(code not present)
|
|
upstream |
Not vulnerable
(code not present)
|
|
xenial |
Does not exist
|
|
python3.5 Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
focal |
Does not exist
|
|
jammy |
Does not exist
|
|
kinetic |
Does not exist
|
|
lunar |
Does not exist
|
|
trusty |
Not vulnerable
(code not present)
|
|
upstream |
Not vulnerable
(code not present)
|
|
xenial |
Not vulnerable
(code not present)
|
|
python3.6 Launchpad, Ubuntu, Debian |
bionic |
Not vulnerable
(code not present)
|
focal |
Does not exist
|
|
jammy |
Does not exist
|
|
kinetic |
Does not exist
|
|
lunar |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Not vulnerable
(code not present)
|
|
xenial |
Does not exist
|
|
python3.7 Launchpad, Ubuntu, Debian |
bionic |
Not vulnerable
(code not present)
|
focal |
Does not exist
|
|
jammy |
Does not exist
|
|
kinetic |
Does not exist
|
|
lunar |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Not vulnerable
(code not present)
|
|
xenial |
Does not exist
|
|
python3.8 Launchpad, Ubuntu, Debian |
bionic |
Not vulnerable
(code not present)
|
focal |
Not vulnerable
(code not present)
|
|
jammy |
Does not exist
|
|
kinetic |
Does not exist
|
|
lunar |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Not vulnerable
(code not present)
|
|
xenial |
Does not exist
|
|
python3.9 Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
focal |
Not vulnerable
(code not present)
|
|
jammy |
Does not exist
|
|
kinetic |
Does not exist
|
|
lunar |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Not vulnerable
(code not present)
|
|
xenial |
Does not exist
|
Severity score breakdown
Parameter | Value |
---|---|
Base score | 5.5 |
Attack vector | Local |
Attack complexity | Low |
Privileges required | None |
User interaction | Required |
Scope | Unchanged |
Confidentiality | None |
Integrity impact | None |
Availability impact | High |
Vector | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H |