Memory Race Condition in Python's ssl Module
CVE-2024-0397

7.4HIGH

Key Information:

Vendor
Python Software Foundation
Status
Cpython
Vendor
CVE Published:
17 June 2024

Summary

A defect in the Python 'ssl' module introduces a memory race condition within the ssl.SSLContext methods 'cert_store_stats()' and 'get_ca_certs()'. This situation arises when these methods are invoked simultaneously while certificates are being loaded into the SSLContext, particularly during the TLS handshake process when a certificate directory is set. This can lead to unpredictable behavior and potential issues in certificate handling. Resolution is available in the latest versions of CPython.

Affected Version(s)

CPython 0 < 3.8.20

CPython 3.9.0 < 3.9.20

CPython 3.10.0 < 3.10.14

References

https://github.com/python/cpython/issues/114572
issue-tracking
https://github.com/python/cpython/pull/114573
patch
https://mail.python.org/archives/list/security-announce@p...
vendor-advisory

CVSS V3.1

Score:
7.4
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.