CVE-2019-19274

{"id": "CVE-2019-19274", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 5.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2019-11-26T15:15:12.770", "references": [{"url": "https://bugs.python.org/issue36495", "tags": ["Patch", "Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "https://github.com/python/cpython/commit/a4d78362397fc3bced6ea80fbc7b5f4827aec55e", "tags": ["Patch", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://github.com/python/cpython/commit/dcfcd146f8e6fc5c2fc16a4c192a0c5f5ca8c53c", "tags": ["Patch", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://github.com/python/typed_ast/commit/156afcb26c198e162504a57caddfe0acd9ed7dce", "tags": ["Patch", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://github.com/python/typed_ast/commit/dc317ac9cff859aa84eeabe03fb5004982545b3b", "tags": ["Patch", "Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LG5H4Q6LFVRX7SFXLBEJMNQFI4T5SCEA/", "source": "cve@mitre.org"}, {"url": "https://bugs.python.org/issue36495", "tags": ["Patch", "Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/python/cpython/commit/a4d78362397fc3bced6ea80fbc7b5f4827aec55e", "tags": ["Patch", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/python/cpython/commit/dcfcd146f8e6fc5c2fc16a4c192a0c5f5ca8c53c", "tags": ["Patch", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/python/typed_ast/commit/156afcb26c198e162504a57caddfe0acd9ed7dce", "tags": ["Patch", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/python/typed_ast/commit/dc317ac9cff859aa84eeabe03fb5004982545b3b", "tags": ["Patch", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LG5H4Q6LFVRX7SFXLBEJMNQFI4T5SCEA/", "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-125"}]}], "descriptions": [{"lang": "en", "value": "typed_ast 1.3.0 and 1.3.1 has a handle_keywordonly_args out-of-bounds read. An attacker with the ability to cause a Python interpreter to parse Python source (but not necessarily execute it) may be able to crash the interpreter process. This could be a concern, for example, in a web-based service that parses (but does not execute) Python code. (This issue also affected certain Python 3.8.0-alpha prereleases.)"}, {"lang": "es", "value": "typed_ast versiones 1.3.0 y 1.3.1, presenta una lectura fuera de l\u00edmites de la funci\u00f3n handle_keywordonly_args. Un atacante con la capacidad de causar que un int\u00e9rprete de Python analice el origen de Python (pero no necesariamente lo ejecute) puede bloquear el proceso del int\u00e9rprete. Esto podr\u00eda ser una preocupaci\u00f3n, por ejemplo, en un servicio basado en la web que analiza (pero no ejecuta) el c\u00f3digo Python. (Este problema tambi\u00e9n afect\u00f3 a determinadas versiones previas de Python 3.8.0-alpha)."}], "lastModified": "2024-11-21T04:34:28.540", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:python:typed_ast:1.3.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A89928A4-7430-4874-BE50-9870FB8388D6"}, {"criteria": "cpe:2.3:a:python:typed_ast:1.3.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "31501157-938B-4795-AF8E-C23C5BC1AD2D"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}