Lucene search

K
redhatcveRedhat.comRH:CVE-2022-48566
HistorySep 13, 2023 - 1:54 p.m.

CVE-2022-48566

2023-09-1313:54:09
redhat.com
access.redhat.com
14
python
constant-time-defeating
optimization
vulnerability
sensitive info
mitigation
ssl
openssl
boringssl

CVSS3

5.9

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS

0.001

Percentile

23.7%

A constant-time-defeating optimization issue was found in python. This issue occurs when sending a specially crafted request, which could allow an attacker to obtain sensitive information.

Mitigation

As per upstream, either make the accumulator variable result a volatile unsigned char instead of unsigned char or use instead use CRYPTO_memcmp from OpenSSL/BoringSSL when SSL is available as SSL libraries are more secure when it comes to timing based vulnerabilities.

<https://github.com/python/cpython/issues/84968&gt;

CVSS3

5.9

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS

0.001

Percentile

23.7%