Chgnrdv

**Name of the Vulnerable Software and Affected Versions** Python versions prior to 3.9.1 Python cpython version 3.7 Python CPython 3.12.0b1 **Description** An issue in the ` asyncio. swap current task` component of Python allows an attacker to obtain sensitive information. The vulnerability is related to the lack of protection for internal data. It is disputed by the vendor, as it is believed to be a bug in some 3.12 pre-releases and not in the 3.7 release. Additionally, there are no common scenarios in which an adversary can call ` asyncio. swap current task` but does not already have the ability to call arbitrary functions. An XML External Entity (XXE) issue was also discovered in Python through 3.9.1, where the `plistlib` module no longer accepts entity declarations in XML plist files to avoid XML vulnerabilities. An issue was discovered in `compare digest` in `Lib/hmac.py` in Python through 3.9.1, where constant-time-defeating optimisations were possible in the accumulator variable in `hmac.compare digest`. **Recommendations** For Python versions prior to 3.9.1, consider updating to a version that includes the fix for the XML External Entity (XXE) issue. For Python cpython version 3.7, as a temporary workaround, consider restricting access to the ` asyncio. swap current task` component until a patch is available. For Python CPython 3.12.0b1, consider updating to a version that includes the fix for the issue in the ` asyncio. swap current task` component. At the moment, there is no information about a newer version that contains a fix for this vulnerability in Python cpython version 3.7.

**Name of the Vulnerable Software and Affected Versions** CPython version 3.12.0 alpha 7 **Description** A heap use-after-free issue was discovered via the function `ascii decode` at `/Objects/unicodeobject.c`. **Recommendations** For CPython version 3.12.0 alpha 7, consider disabling the `ascii decode` function as a temporary workaround until a patch is available.