Closed dev-mend-for-github-com[bot] closed 3 months ago
:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.
Vulnerable Library - python-3.8.18-h955ad1f_0.tar.bz2
General purpose programming language
Library home page: https://api.anaconda.org/download/main/python/3.8.18/linux-64/python-3.8.18-h955ad1f_0.tar.bz2
Path to dependency file: /environment.yml
Path to vulnerable library: /home/wss-scanner/miniconda3/pkgs/python-3.8.18-h955ad1f_0.tar.bz2
Found in HEAD commit: 0176dbbc4a1232e1926229894b718c7c733b0cff
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2022-42919
### Vulnerable Library - python-3.8.18-h955ad1f_0.tar.bz2General purpose programming language
Library home page: https://api.anaconda.org/download/main/python/3.8.18/linux-64/python-3.8.18-h955ad1f_0.tar.bz2
Path to dependency file: /environment.yml
Path to vulnerable library: /home/wss-scanner/miniconda3/pkgs/python-3.8.18-h955ad1f_0.tar.bz2
Dependency Hierarchy: - :x: **python-3.8.18-h955ad1f_0.tar.bz2** (Vulnerable Library)
Found in HEAD commit: 0176dbbc4a1232e1926229894b718c7c733b0cff
Found in base branch: master
### Vulnerability DetailsPython 3.9.x before 3.9.16 and 3.10.x before 3.10.9 on Linux allows local privilege escalation in a non-default configuration. The Python multiprocessing library, when used with the forkserver start method on Linux, allows pickles to be deserialized from any user in the same machine local network namespace, which in many system configurations means any user on the same machine. Pickles can execute arbitrary code. Thus, this allows for local user privilege escalation to the user that any forkserver process is running as. Setting multiprocessing.util.abstract_sockets_supported to False is a workaround. The forkserver start method for multiprocessing is not the default start method. This issue is Linux specific because only Linux supports abstract namespace sockets. CPython before 3.9 does not make use of Linux abstract namespace sockets by default. Support for users manually specifying an abstract namespace socket was added as a bugfix in 3.7.8 and 3.8.3, but users would need to make specific uncommon API calls in order to do that in CPython before 3.9.
Publish Date: 2022-11-07
URL: CVE-2022-42919
### CVSS 3 Score Details (7.8)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here.