CVE-2023-38898

Name of the Vulnerable Software and Affected Versions Python versions prior to 3.9.1 Python cpython version 3.7 Python CPython 3.12.0b1

Description An issue in the asyncio. swap current task component of Python allows an attacker to obtain sensitive information. The vulnerability is related to the lack of protection for internal data. It is disputed by the vendor, as it is believed to be a bug in some 3.12 pre-releases and not in the 3.7 release. Additionally, there are no common scenarios in which an adversary can call asyncio. swap current task but does not already have the ability to call arbitrary functions. An XML External Entity (XXE) issue was also discovered in Python through 3.9.1, where the plistlib module no longer accepts entity declarations in XML plist files to avoid XML vulnerabilities. An issue was discovered in compare digest in Lib/hmac.py in Python through 3.9.1, where constant-time-defeating optimisations were possible in the accumulator variable in hmac.compare digest.

Recommendations For Python versions prior to 3.9.1, consider updating to a version that includes the fix for the XML External Entity (XXE) issue. For Python cpython version 3.7, as a temporary workaround, consider restricting access to the asyncio. swap current task component until a patch is available. For Python CPython 3.12.0b1, consider updating to a version that includes the fix for the issue in the asyncio. swap current task component. At the moment, there is no information about a newer version that contains a fix for this vulnerability in Python cpython version 3.7.