Out-of-bounds Read Vulnerability in typed_ast for Python by Python Software Foundation
CVE-2019-19274

7.5HIGH

Key Information:

Vendor

Python

Status
Typed Ast
Vendor
CVE Published:
26 November 2019

What is CVE-2019-19274?

The typed_ast library versions 1.3.0 and 1.3.1 are affected by an out-of-bounds read in the handle_keywordonly_args function. This vulnerability allows an attacker to manipulate a Python interpreter to parse source code that could potentially crash the interpreter process. This scenario poses a risk for applications or services that parse Python code, especially in web environments where execution may not occur but parsing does. Further investigation into this issue is necessary for all applications utilizing these versions of typed_ast.

References

https://github.com/python/typed_ast/commit/156afcb26c198e...
x_refsource_MISC
https://github.com/python/cpython/commit/dcfcd146f8e6fc5c...
x_refsource_MISC
https://github.com/python/cpython/commit/a4d78362397fc3bc...
x_refsource_MISC

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.