CVE-2022-48566
Aliases:CVE-2023-38898BIT-libpython-2022-48566BIT-python-2022-48566BIT-python-2023-38898BIT-python-min-2022-48566GHSA-cgfh-jp5w-8cmxPSF-2023-6PSF-2023-7
Advisory lineage Upstream: 0 Downstream: 14
Modified
Published: 22 Aug 2023, 00:00
Last modified:03 Oct 2024, 14:08
Vulnerability Summary
Overall Risk (default)
medium
34/100 CVSS Score
5.9 MEDIUM
v3.1 (nvd)
EPSS Score
0.09% LOW
0% probability 0.00%
KEV
Not listed
Ransomware
No reports
Public exploits
1 found
Dark Web
Not detected
Timeline
22 Aug 2023, 00:00
Published
Vulnerability first disclosed
03 Oct 2024, 14:08
Last Modified
Vulnerability information updated
Description
An issue was discovered in compare_digest in Lib/hmac.py in Python through 3.9.1. Constant-time-defeating optimisations were possible in the accumulator variable in hmac.compare_digest.
CVSS Metrics
- v3.1•MEDIUM•Score: 5.9CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
- v3.1•MEDIUM•Score: 5.3CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
EPSS Trends
Current EPSS score: 0.09%• Percentile: 26%
Techniques & Countermeasures
- CWE-362•Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently.
Affected Systems
- debian•python3.12
< 3.12.0~b4-1
- debian•debian_linux
10.0
- netapp•active_iq_unified_manager
na
- netapp•converged_systems_advisor_agent
na
- python•python
< 3.6.13 | ≥ 3.7.0, < 3.7.10 | ≥ 3.8.0, < 3.8.7 | ≥ 3.9.0, < 3.9.1
References (6)
- https://bugs.python.org/issue40791
- https://lists.debian.org/debian-lts-announce/2023/09/msg00022.html
- https://security.netapp.com/advisory/ntap-20231006-0013/
- https://lists.debian.org/debian-lts-announce/2023/10/msg00017.html
- https://github.com/python/cpython/issues/105987
- https://security-tracker.debian.org/tracker/CVE-2023-38898