#VU95571 Command Injection in Python - CVE-2024-6923


Vulnerability identifier: #VU95571

Vulnerability risk: Medium

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2024-6923

CWE-ID: CWE-77

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Python
Universal components / Libraries / Scripting languages

Vendor: Python.org

Description

The vulnerability allows a remote attacker to perform spoofing attack.

The vulnerability exists due to insufficient validation of newlines for email headers when serializing an email message. A remote attacker can inject arbitrary headers into serialized email messages.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Python: 3.12.0 - 3.12.4

External links
http://github.com/python/cpython/pull/122233
http://github.com/python/cpython/issues/121650
http://mail.python.org/archives/list/security-announce@python.org/thread/QH3BUOE2DYQBWP7NAQ7UNHPPOELKISRW/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Multiple vulnerabilities in IBM System Storage Virtualization Engine TS7700
Multiple vulnerabilities in IBM Cloud Pak for AIOps
Multiple vulnerabilities in IBM QRadar Network Packet Capture
Multiple vulnerabilities in Red Hat Advanced Cluster Management for Kubernetes 2.10
Oracle Solaris update for third-party components
Multiple vulnerabilities in Dell OpenManage Network Integration (OMNI)
Multiple vulnerabilities in Dell VxRail Appliance
Multiple vulnerabilities in Dell Cloud Tiering Appliance
Multiple vulnerabilities in Service Interconnect
Multiple vulnerabilities in Migration Toolkit for Containers 1.8