CVE-2024-0397

2024-06-1716:15:10

[email protected]

web.nvd.nist.gov

python

ssl module

memory race condition

cert_store_stats

get_ca_certs

cpython 3.10.14

cpython 3.11.9

cpython 3.12.3

cpython 3.13.0a5

6.3 Medium

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

13.1%

JSON

A defect was discovered in the Python “ssl” module where there is a memory
race condition with the ssl.SSLContext methods “cert_store_stats()” and
“get_ca_certs()”. The race condition can be triggered if the methods are
called at the same time as certificates are loaded into the SSLContext,
such as during the TLS handshake with a certificate directory configured.
This issue is fixed in CPython 3.10.14, 3.11.9, 3.12.3, and 3.13.0a5.

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "CPython",
    "repo": "https://github.com/python/cpython",
    "vendor": "Python Software Foundation",
    "versions": [
      {
        "lessThan": "3.13.0a5",
        "status": "affected",
        "version": "3.13.0a1",
        "versionType": "python"
      },
      {
        "lessThan": "3.12.3",
        "status": "affected",
        "version": "3.12.0",
        "versionType": "python"
      },
      {
        "lessThan": "3.11.9",
        "status": "affected",
        "version": "3.11.0",
        "versionType": "python"
      },
      {
        "lessThan": "3.10.14",
        "status": "affected",
        "version": "0",
        "versionType": "python"
      }
    ]
  }
]