PT-2024-4665 · Python+9 · Python+9
Seth Larson
·
Published
2024-01-10
·
Updated
2025-08-11
·
CVE-2024-0397
CVSS v3.1
7.4
High
| Vector | AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H |
Name of the Vulnerable Software and Affected Versions:
Python versions prior to 3.10.14
Python versions prior to 3.11.9
Python versions prior to 3.12.3
Python versions prior to 3.13.0a5
Description:
A defect was discovered in the Python “ssl” module where there is a memory race condition with the
ssl.SSLContext methods cert store stats() and get ca certs(). The race condition can be triggered if the methods are called at the same time as certificates are loaded into the SSLContext, such as during the TLS handshake with a certificate directory configured. This issue may allow a remote attacker to obtain sensitive information.Recommendations:
Update to CPython 3.10.14 or later
Update to CPython 3.11.9 or later
Update to CPython 3.12.3 or later
Update to CPython 3.13.0a5 or later
As a temporary workaround, consider disabling the
cert store stats() and get ca certs() functions until a patch is available.Fix
Race Condition
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Alt Linux
Astra Linux
Debian
Ibm Aix
Linuxmint
Python
Red Hat
Red Os
Suse
Ubuntu