search

omrimend / conda_project

for tests
0 stars 0 forks source link

python-3.8.18-h955ad1f_0.tar.bz2: 1 vulnerabilities (highest severity is: 7.8) - autoclosed #4

Closed dev-mend-for-github-com[bot] closed 3 months ago

dev-mend-for-github-com[bot] commented 5 months ago
Vulnerable Library - python-3.8.18-h955ad1f_0.tar.bz2

General purpose programming language

Library home page: https://api.anaconda.org/download/main/python/3.8.18/linux-64/python-3.8.18-h955ad1f_0.tar.bz2

Path to dependency file: /environment.yml

Path to vulnerable library: /home/wss-scanner/miniconda3/pkgs/python-3.8.18-h955ad1f_0.tar.bz2

Found in HEAD commit: 0176dbbc4a1232e1926229894b718c7c733b0cff

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (python version) Remediation Possible**
CVE-2022-42919 High 7.8 python-3.8.18-h955ad1f_0.tar.bz2 Direct N/A

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2022-42919 ### Vulnerable Library - python-3.8.18-h955ad1f_0.tar.bz2

General purpose programming language

Library home page: https://api.anaconda.org/download/main/python/3.8.18/linux-64/python-3.8.18-h955ad1f_0.tar.bz2

Path to dependency file: /environment.yml

Path to vulnerable library: /home/wss-scanner/miniconda3/pkgs/python-3.8.18-h955ad1f_0.tar.bz2

Dependency Hierarchy: - :x: **python-3.8.18-h955ad1f_0.tar.bz2** (Vulnerable Library)

Found in HEAD commit: 0176dbbc4a1232e1926229894b718c7c733b0cff

Found in base branch: master

### Vulnerability Details

Python 3.9.x before 3.9.16 and 3.10.x before 3.10.9 on Linux allows local privilege escalation in a non-default configuration. The Python multiprocessing library, when used with the forkserver start method on Linux, allows pickles to be deserialized from any user in the same machine local network namespace, which in many system configurations means any user on the same machine. Pickles can execute arbitrary code. Thus, this allows for local user privilege escalation to the user that any forkserver process is running as. Setting multiprocessing.util.abstract_sockets_supported to False is a workaround. The forkserver start method for multiprocessing is not the default start method. This issue is Linux specific because only Linux supports abstract namespace sockets. CPython before 3.9 does not make use of Linux abstract namespace sockets by default. Support for users manually specifying an abstract namespace socket was added as a bugfix in 3.7.8 and 3.8.3, but users would need to make specific uncommon API calls in order to do that in CPython before 3.9.

Publish Date: 2022-11-07

URL: CVE-2022-42919

### CVSS 3 Score Details (7.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

dev-mend-for-github-com[bot] commented 3 months ago

:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.