SUSE update for python3



Risk Medium
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2023-24329
CWE-ID CWE-20
Exploitation vector Network
Public exploit N/A
Vulnerable software
SUSE Linux Enterprise Server for SAP Applications 15
Operating systems & Components / Operating system

SUSE Linux Enterprise Server 15 SP2 LTSS
Operating systems & Components / Operating system

SUSE Linux Enterprise Server 15
Operating systems & Components / Operating system

SUSE Linux Enterprise Server 15 SP1 LTSS
Operating systems & Components / Operating system

SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS
Operating systems & Components / Operating system

SUSE Linux Enterprise High Performance Computing 15
Operating systems & Components / Operating system

SUSE Linux Enterprise High Performance Computing 15 SP1 LTSS
Operating systems & Components / Operating system

SUSE Enterprise Storage
Operating systems & Components / Operating system

SUSE CaaS Platform
Operating systems & Components / Operating system

SUSE Linux Enterprise Micro
Operating systems & Components / Operating system

python3-dbm
Operating systems & Components / Operating system package or component

python3-devel
Operating systems & Components / Operating system package or component

python3-curses
Operating systems & Components / Operating system package or component

python3-core-debugsource
Operating systems & Components / Operating system package or component

libpython3_6m1_0
Operating systems & Components / Operating system package or component

python3-tools
Operating systems & Components / Operating system package or component

python3-curses-debuginfo
Operating systems & Components / Operating system package or component

python3-tk-debuginfo
Operating systems & Components / Operating system package or component

python3-debuginfo
Operating systems & Components / Operating system package or component

python3-devel-debuginfo
Operating systems & Components / Operating system package or component

python3-base-debuginfo
Operating systems & Components / Operating system package or component

python3-dbm-debuginfo
Operating systems & Components / Operating system package or component

libpython3_6m1_0-debuginfo
Operating systems & Components / Operating system package or component

python3-idle
Operating systems & Components / Operating system package or component

python3-debugsource
Operating systems & Components / Operating system package or component

python3-base
Operating systems & Components / Operating system package or component

python3
Operating systems & Components / Operating system package or component

python3-tk
Operating systems & Components / Operating system package or component

python3-testsuite
Operating systems & Components / Operating system package or component

Vendor SUSE

Security Bulletin

This security bulletin contains one medium risk vulnerability.

1) Input validation error

EUVDB-ID: #VU72618

Risk: Medium

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2023-24329

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass implemented filters.

The vulnerability exists due to insufficient validation of URLs that start with blank characters within urllib.parse component of Python. A remote attacker can pass specially crafted URL to bypass existing filters.

Mitigation

Update the affected package python3 to the latest version.

Vulnerable software versions

SUSE Linux Enterprise Server for SAP Applications 15: SP1 - SP2

SUSE Linux Enterprise Server 15 SP2 LTSS: 15-SP2

SUSE Linux Enterprise Server 15: SP1 - SP2

SUSE Linux Enterprise Server 15 SP1 LTSS: 15-SP1

SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS: 15-SP2

SUSE Linux Enterprise High Performance Computing 15: SP1 - SP2

SUSE Linux Enterprise High Performance Computing 15 SP1 LTSS: 15-SP1

SUSE Enterprise Storage: 7.1

SUSE CaaS Platform: 4.0

SUSE Linux Enterprise Micro: 5.1

python3-dbm: before 3.6.15-150000.3.124.1

python3-devel: before 3.6.15-150000.3.124.1

python3-curses: before 3.6.15-150000.3.124.1

python3-core-debugsource: before 3.6.15-150000.3.124.1

libpython3_6m1_0: before 3.6.15-150000.3.124.1

python3-tools: before 3.6.15-150000.3.124.1

python3-curses-debuginfo: before 3.6.15-150000.3.124.1

python3-tk-debuginfo: before 3.6.15-150000.3.124.1

python3-debuginfo: before 3.6.15-150000.3.124.1

python3-devel-debuginfo: before 3.6.15-150000.3.124.1

python3-base-debuginfo: before 3.6.15-150000.3.124.1

python3-dbm-debuginfo: before 3.6.15-150000.3.124.1

libpython3_6m1_0-debuginfo: before 3.6.15-150000.3.124.1

python3-idle: before 3.6.15-150000.3.124.1

python3-debugsource: before 3.6.15-150000.3.124.1

python3-base: before 3.6.15-150000.3.124.1

python3: before 3.6.15-150000.3.124.1

python3-tk: before 3.6.15-150000.3.124.1

python3-testsuite: before 3.6.15-150000.3.124.1

CPE2.3 External links

https://www.suse.com/support/update/announcement/2023/suse-su-20230736-1/


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###