CVE-2020-15523

Name of the Vulnerable Software and Affected Versions Python versions 3.6 through 3.6.10 Python versions 3.7 through 3.7.8 Python versions 3.8 through 3.8.4rc1 Python versions 3.9 through 3.9.0b4

Description The issue is related to the use of an invalid search path for loading python3.dll after the Py SetPath function has been used. This can allow a remote attacker to impact the integrity and availability of protected information. The problem occurs when CPython is embedded in a native application on Windows, but it cannot occur when using python.exe from a standard Python installation on Windows.

Recommendations For Python versions 3.6 through 3.6.10, consider disabling the use of python3X.dll until a patch is available. For Python versions 3.7 through 3.7.8, restrict access to the vulnerable python3.dll file to minimize the risk of exploitation. For Python versions 3.8 through 3.8.4rc1, avoid using the Py SetPath function with an invalid search path for python3.dll loading. For Python versions 3.9 through 3.9.0b4, as a temporary workaround, consider using a standard Python installation on Windows instead of an embedded CPython in a native application. At the moment, there is no information about a newer version that contains a fix for this vulnerability.