Local Privilege Escalation in Python Multiprocessing on Linux Systems
CVE-2022-42919

7.8HIGH

Key Information:

Vendor

Python

Status
Python
Vendor
CVE Published:
7 November 2022

What is CVE-2022-42919?

This vulnerability allows local privilege escalation on Linux systems using specific versions of Python (3.9.x prior to 3.9.16 and 3.10.x prior to 3.10.9). The Python multiprocessing library enabled with the forkserver start method may allow deserialization of pickles from any user in the same machine's local network namespace. As a result, malicious users can exploit this flaw to execute arbitrary code, potentially escalating their privileges to that of the user under which any forkserver process operates. This issue is mitigated by setting multiprocessing.util.abstract_sockets_supported to False, although the forkserver method is not the default configuration.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

References

https://github.com/python/cpython/issues/97514
https://lists.fedoraproject.org/archives/list/package-ann...
vendor-advisory
https://lists.fedoraproject.org/archives/list/package-ann...
vendor-advisory

CVSS V3.1

Score:
7.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.