CPython SocketModule AF_INET socketpair race (Win), 3.5+
CVE-2024-3219 Published on July 29, 2024
Pure-Python fallback of socket.socketpair() doesn’t authenticate peer connection
The
socket module provides a pure-Python fallback to the
socket.socketpair() function for platforms that dont support AF_UNIX,
such as Windows. This pure-Python implementation uses AF_INET or
AF_INET6 to create a local connected pair of sockets. The connection
between the two sockets was not verified before passing the two sockets
back to the user, which leaves the server socket vulnerable to a
connection race from a malicious local peer.
Platforms that support AF_UNIX such as Linux and macOS are not affected by this vulnerability. Versions prior to CPython 3.5 are not affected due to the vulnerable API not being included.
Weakness Type
Missing Authentication for Critical Function
The software does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
Products Associated with CVE-2024-3219
Want to know whenever a new CVE is published for Python? stack.watch will email you.
Affected Versions
Python Software Foundation CPython:- Before 3.8.20 is affected.
- Version 3.9.0 and below 3.9.20 is affected.
- Version 3.10.0 and below 3.10.15 is affected.
- Version 3.11.0 and below 3.11.10 is affected.
- Version 3.12.0 and below 3.12.5 is affected.
- Version 3.13.0a1 and below 3.13.0rc1 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.