CVE-2023-6507

Name of the Vulnerable Software and Affected Versions CPython version 3.12.0

Description The issue is related to errors in privilege management in the subprocess module of the CPython interpreter. When using the extra groups= parameter with an empty list as a value, the logic regressed to not call setgroups(0, NULL) before calling exec(), thus not dropping the original processes' groups before starting the new process. This issue only impacts CPython processes run with sufficient privilege to make the setgroups system call, typically root.

Recommendations For CPython version 3.12.0, update to CPython 3.12.1 to resolve the issue. As a temporary workaround, consider avoiding the use of the extra groups= parameter with an empty list until a patch is available. Restrict access to the subprocess module to minimize the risk of exploitation.