Vulnerability in Python Libraries

As Python being the most widely used programming language, giving us flexibility in writing code, it also comes with lots of vulnerabilities. The severity of the vulnerability depends upon the error present in the code.

The majority of Python bugs are caused by insufficient user input validation, which allows the user to insert arbitrary inputs to exploit flaws in the system. Here are some of the common vulnerabilities i came across on daily basis while doing the Static and Dynamic testing which generally gets ignored. (Only the latest one.)

1. urlparse does not correctly handle schemes

Description: An issue in the urllib.parse component of Python before v3.11 allows attackers to bypass blocklisting methods by supplying a URL that starts with blank characters.

Vulnerability Type: bypass

Vulnerable python libraries in version: 3.7, 3.8, 3.9, 3.10

Fixed in: 3.11.1

CVE#: CVE-2023-24329

References:
https://security.netapp.com/advisory/ntap-20230324-0004/ CONFIRM
https://github.com/python/cpython/pull/99421
https://pointernull.com/security/python-url-parse-problem.html

2. Buffer overflow in the _sha3 module in Python 3.10 and older

Description: The Keccak XKCP SHA-3 reference implementation before fdc6fef has an integer overflow and resultant buffer overflow that allows attackers to execute arbitrary code or eliminate expected cryptographic properties. This occurs in the sponge function interface.

Vulnerability Type: Exec Code Overflow

Fixed in python version : 3.7.16, 3.8.16, 3.9.16, 3.10.9

CVE#: CVE-2022-37454

References:
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3ALQ6BDDPX5HU5YBQOBMDVAA2TSGDKIJ/
https://www.debian.org/security/2022/dsa-5267
https://csrc.nist.gov/projects/hash-functions/sha-3-project

3. Slow IDNA decoding with large strings

Description: IDNA decoding execution time is not linear in relation to the input string size, which can cause slowness with large inputs:

10 chars = 0.016 seconds
100 chars = 0.047 seconds
1000 chars = 2.883 seconds
2500 chars = 17.724 seconds
5000 chars = 1 min 10 seconds

Vulnerability Type: DoS

Fixed in python version: 3.7.16, 3.8.16, 3.9.16, 3.10.9, 3.11.1

CVE#: CVE-2022-45061

References:
https://security.netapp.com/advisory/ntap-20221209-0007/ CONFIRM
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IN26PWZTYG6IF3APLRXQJBVACQHZUPT2/FEDORA FEDORA-2023-943556a733

4. Linux specific local privilege escalation via the multiprocessing forkserver start method

Description: Python 3.9, 3.10, and 3.11.0rc2 on Linux may allow for a local privilege escalation attack in a non-default configuration when code uses the multiprocessing module and configures multiprocessing to use the forkserver start method.

Vulnerability Type: Execute Code

Vulnerable in: 3.7.16, 3.8.16

Fixed in python version: 3.9.16, 3.10.9, 3.11.1

CVE#: CVE-2022-42919

References:

https://github.com/python/cpython/compare/v3.10.8…v3.10.9 CONFIRM
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RDK3ZZBRYFO47ET3N4BNTKVXN47U6ICY/FEDORA FEDORA-2023-097dd40685

5. urllib.parse should sanitize urls containing ASCII newline and tabs

Description: A flaw was found in Python, specifically within the urllib.parse module. This module helps break Uniform Resource Locator (URL) strings into components. The issue involves how the urlparse method does not sanitize input and allows characters like ‘\r’ and ‘\n’ in the URL path. This flaw allows an attacker to input a crafted URL, leading to injection attacks.

Vulnerable in: 3.10.0b1, 3.9.5, 3.8.11, 3.7.11, 3.6.14

Fixed in: 3.6.14, 3.7.11, 3.8.11, 3.9.5, 3.10.0

CVE#: CVE-2022-0391

Reference:
https://bugs.python.org/issue43882
https://www.oracle.com/security-alerts/cpuapr2022.html
https://security.netapp.com/advisory/ntap-20220225-0009/ CONFIRM