Command Injection in Python

#VU95571 Command Injection in Python

Published: 2024-08-08

Vulnerability identifier: #VU95571

Vulnerability risk: Medium

CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-6923

CWE-ID: CWE-77

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Python
Universal components / Libraries / Scripting languages

Vendor: Python.org

Description

The vulnerability allows a remote attacker to perform spoofing attack.

The vulnerability exists due to insufficient validation of newlines for email headers when serializing an email message. A remote attacker can inject arbitrary headers into serialized email messages.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Python: 3.12.0 - 3.12.4

External links
http://github.com/python/cpython/pull/122233
http://github.com/python/cpython/issues/121650
http://mail.python.org/archives/list/security-announce@python.org/thread/QH3BUOE2DYQBWP7NAQ7UNHPPOELKISRW/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in Red Hat Advanced Cluster Management for Kubernetes 2.10

SUSE update for python312

SUSE update for python3

SUSE update for python36

Ubuntu update for python3.10

Multiple vulnerabilities in Red Hat OpenShift Dev Spaces

Fedora 40 update for python3.8

Fedora 41 update for python3.8

Fedora 39 update for python3.8