Ubuntu update for python3.10

1) Input validation error

EUVDB-ID: #VU82980

Risk: Medium

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2023-27043

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to bypass filtration.

The vulnerability exists due to insufficient validation of user-supplied input when parsing email address with a special character. A remote attacker can bypass a protection mechanism in which application access is granted only after verifying receipt of e-mail to a specific domain.

Mitigation

Update the affected package python3.10 to the latest version.

Vulnerable software versions

Ubuntu: 20.04 - 24.04

python3.8-minimal (Ubuntu package): before 3.8.10-0ubuntu1~20.04.12

python3.8 (Ubuntu package): before 3.8.10-0ubuntu1~20.04.12

python3.10-minimal (Ubuntu package): before 3.10.12-1~22.04.6

python3.10 (Ubuntu package): before 3.10.12-1~22.04.6

python3.12-minimal (Ubuntu package): before 3.12.3-1ubuntu0.2

python3.12 (Ubuntu package): before 3.12.3-1ubuntu0.2

CPE2.3

• cpe:2.3:o:canonical:ubuntu:20.04:*:*:*:*:*:*:*
• cpe:2.3:o:canonical:ubuntu:22.04:*:*:*:*:*:*:*
• cpe:2.3:o:canonical:ubuntu:24.04:*:*:*:*:*:*:*
• cpe:2.3:o:canonical:python3.8-minimal_ubuntu_package:*:*:*:*:*:ubuntu:*:*
• cpe:2.3:o:canonical:python3.8_ubuntu_package:*:*:*:*:*:ubuntu:*:*
• cpe:2.3:o:canonical:python3.10-minimal_ubuntu_package:*:*:*:*:*:ubuntu:*:*
• cpe:2.3:o:canonical:python3.10_ubuntu_package:*:*:*:*:*:ubuntu:*:*
• cpe:2.3:o:canonical:python3.12-minimal_ubuntu_package:*:*:*:*:*:ubuntu:*:*
• cpe:2.3:o:canonical:python3.12_ubuntu_package:*:*:*:*:*:ubuntu:*:*

External links

https://ubuntu.com/security/notices/USN-7015-1

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Incorrect Regular Expression

EUVDB-ID: #VU96745

Risk: Medium

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2024-6232

CWE-ID: CWE-185 - Incorrect Regular Expression

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of .tar archives when processing it with regular expressions. A remote attacker can pass specially crafted data to the application and perform regular expression denial of service (ReDos) attack.

Mitigation

Update the affected package python3.10 to the latest version.

Vulnerable software versions

Ubuntu: 20.04 - 24.04

python3.8-minimal (Ubuntu package): before 3.8.10-0ubuntu1~20.04.12

python3.8 (Ubuntu package): before 3.8.10-0ubuntu1~20.04.12

python3.10-minimal (Ubuntu package): before 3.10.12-1~22.04.6

python3.10 (Ubuntu package): before 3.10.12-1~22.04.6

python3.12-minimal (Ubuntu package): before 3.12.3-1ubuntu0.2

python3.12 (Ubuntu package): before 3.12.3-1ubuntu0.2

CPE2.3

• cpe:2.3:o:canonical:python3.8-minimal_ubuntu_package:*:*:*:*:*:ubuntu:*:*
• cpe:2.3:o:canonical:python3.8_ubuntu_package:*:*:*:*:*:ubuntu:*:*
• cpe:2.3:o:canonical:python3.10-minimal_ubuntu_package:*:*:*:*:*:ubuntu:*:*
• cpe:2.3:o:canonical:python3.10_ubuntu_package:*:*:*:*:*:ubuntu:*:*
• cpe:2.3:o:canonical:python3.12-minimal_ubuntu_package:*:*:*:*:*:ubuntu:*:*
• cpe:2.3:o:canonical:python3.12_ubuntu_package:*:*:*:*:*:ubuntu:*:*

External links

https://ubuntu.com/security/notices/USN-7015-1

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Command Injection

EUVDB-ID: #VU95571

Risk: Medium

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2024-6923

CWE-ID: CWE-77 - Command injection

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform spoofing attack.

The vulnerability exists due to insufficient validation of newlines for email headers when serializing an email message. A remote attacker can inject arbitrary headers into serialized email messages.

Mitigation

Update the affected package python3.10 to the latest version.

Vulnerable software versions

Ubuntu: 20.04 - 24.04

python3.8-minimal (Ubuntu package): before 3.8.10-0ubuntu1~20.04.12

python3.8 (Ubuntu package): before 3.8.10-0ubuntu1~20.04.12

python3.10-minimal (Ubuntu package): before 3.10.12-1~22.04.6

python3.10 (Ubuntu package): before 3.10.12-1~22.04.6

python3.12-minimal (Ubuntu package): before 3.12.3-1ubuntu0.2

python3.12 (Ubuntu package): before 3.12.3-1ubuntu0.2

CPE2.3

• cpe:2.3:o:canonical:python3.8-minimal_ubuntu_package:*:*:*:*:*:ubuntu:*:*
• cpe:2.3:o:canonical:python3.8_ubuntu_package:*:*:*:*:*:ubuntu:*:*
• cpe:2.3:o:canonical:python3.10-minimal_ubuntu_package:*:*:*:*:*:ubuntu:*:*
• cpe:2.3:o:canonical:python3.10_ubuntu_package:*:*:*:*:*:ubuntu:*:*
• cpe:2.3:o:canonical:python3.12-minimal_ubuntu_package:*:*:*:*:*:ubuntu:*:*
• cpe:2.3:o:canonical:python3.12_ubuntu_package:*:*:*:*:*:ubuntu:*:*

External links

https://ubuntu.com/security/notices/USN-7015-1

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) Resource exhaustion

EUVDB-ID: #VU96945

Risk: Medium

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2024-7592

CWE-ID: CWE-400 - Resource exhaustion

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources within the 'http.cookies' standard library module when parsing cookies that contained backslashes for quoted characters in the cookie value. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.

Mitigation

Update the affected package python3.10 to the latest version.

Vulnerable software versions

Ubuntu: 20.04 - 24.04

python3.8-minimal (Ubuntu package): before 3.8.10-0ubuntu1~20.04.12

python3.8 (Ubuntu package): before 3.8.10-0ubuntu1~20.04.12

python3.10-minimal (Ubuntu package): before 3.10.12-1~22.04.6

python3.10 (Ubuntu package): before 3.10.12-1~22.04.6

python3.12-minimal (Ubuntu package): before 3.12.3-1ubuntu0.2

python3.12 (Ubuntu package): before 3.12.3-1ubuntu0.2

CPE2.3

• cpe:2.3:o:canonical:python3.8-minimal_ubuntu_package:*:*:*:*:*:ubuntu:*:*
• cpe:2.3:o:canonical:python3.8_ubuntu_package:*:*:*:*:*:ubuntu:*:*
• cpe:2.3:o:canonical:python3.10-minimal_ubuntu_package:*:*:*:*:*:ubuntu:*:*
• cpe:2.3:o:canonical:python3.10_ubuntu_package:*:*:*:*:*:ubuntu:*:*
• cpe:2.3:o:canonical:python3.12-minimal_ubuntu_package:*:*:*:*:*:ubuntu:*:*
• cpe:2.3:o:canonical:python3.12_ubuntu_package:*:*:*:*:*:ubuntu:*:*

External links

https://ubuntu.com/security/notices/USN-7015-1

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

5) Infinite loop

EUVDB-ID: #VU96596

Risk: Medium

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2024-8088

CWE-ID: CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to infinite loop within the the CPython "zipfile" module affecting "zipfile.Path". A remote attacker can consume all available system resources and cause denial of service conditions.

Mitigation

Update the affected package python3.10 to the latest version.

Vulnerable software versions

Ubuntu: 20.04 - 24.04

python3.8-minimal (Ubuntu package): before 3.8.10-0ubuntu1~20.04.12

python3.8 (Ubuntu package): before 3.8.10-0ubuntu1~20.04.12

python3.10-minimal (Ubuntu package): before 3.10.12-1~22.04.6

python3.10 (Ubuntu package): before 3.10.12-1~22.04.6

python3.12-minimal (Ubuntu package): before 3.12.3-1ubuntu0.2

python3.12 (Ubuntu package): before 3.12.3-1ubuntu0.2

CPE2.3

• cpe:2.3:o:canonical:python3.8-minimal_ubuntu_package:*:*:*:*:*:ubuntu:*:*
• cpe:2.3:o:canonical:python3.8_ubuntu_package:*:*:*:*:*:ubuntu:*:*
• cpe:2.3:o:canonical:python3.10-minimal_ubuntu_package:*:*:*:*:*:ubuntu:*:*
• cpe:2.3:o:canonical:python3.10_ubuntu_package:*:*:*:*:*:ubuntu:*:*
• cpe:2.3:o:canonical:python3.12-minimal_ubuntu_package:*:*:*:*:*:ubuntu:*:*
• cpe:2.3:o:canonical:python3.12_ubuntu_package:*:*:*:*:*:ubuntu:*:*

External links

https://ubuntu.com/security/notices/USN-7015-1

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.