CVE-2022-48566

Name of the Vulnerable Software and Affected Versions Python versions through 3.9.1 Python version 3.12.0b1

Description The issue is related to the hmac.compare digest function in the Lib/hmac.py module, where constant-time-defeating optimisations were possible in the accumulator variable. This could potentially allow a remote attacker to elevate their privileges due to a race condition. Additionally, an XML External Entity (XXE) issue was discovered, which has been mitigated by the plistlib module no longer accepting entity declarations in XML plist files. There is also an issue in the asyncio. swap current task() component that allows an attacker to obtain sensitive information.

Recommendations For Python versions through 3.9.1, consider updating to a version where the hmac.compare digest function has been patched to prevent constant-time-defeating optimisations. For Python version 3.12.0b1, restrict access to the asyncio. swap current task() component to minimize the risk of exploitation. As a temporary workaround, consider disabling the use of entity declarations in XML plist files until the issue is resolved. Avoid using the plistlib module with untrusted XML plist files until the XXE issue is fully addressed.