CVE-2024-3219

UNKNOWN

Published 2024-07-29T21:54:05.830Z

Actions:

Expert Analysis

Professional remediation guidance

Get tailored security recommendations from our analyst team for CVE-2024-3219. We'll provide specific mitigation strategies based on your environment and risk profile.

No CVSS data available

Description

The
“socket” module provides a pure-Python fallback to the
socket.socketpair() function for platforms that don’t support AF_UNIX,
such as Windows. This pure-Python implementation uses AF_INET or
AF_INET6 to create a local connected pair of sockets. The connection
between the two sockets was not verified before passing the two sockets
back to the user, which leaves the server socket vulnerable to a
connection race from a malicious local peer.

Platforms that support AF_UNIX such as Linux and macOS are not affected by this vulnerability. Versions prior to CPython 3.5 are not affected due to the vulnerable API not being included.

Available Exploits

No exploits available for this CVE.

Related News

No news articles found for this CVE.

Affected Products

Python Software Foundation

CPython

Affected Versions:

0 3.9.0 3.10.0 3.11.0 3.12.0 3.13.0a1

GitHub Security Advisories

Community-driven vulnerability intelligence from GitHub

⚠ Unreviewed LOW

GHSA-r8h6-cwxj-rv5j

Advisory Details

There is a MEDIUM severity vulnerability affecting CPython. The “socket” module provides a pure-Python fallback to the socket.socketpair() function for platforms that don’t support AF_UNIX, such as Windows. This pure-Python implementation uses AF_INET or AF_INET6 to create a local connected pair of sockets. The connection between the two sockets was not verified before passing the two sockets back to the user, which leaves the server socket vulnerable to a connection race from a malicious local peer. Platforms that support AF_UNIX such as Linux and macOS are not affected by this vulnerability. Versions prior to CPython 3.5 are not affected due to the vulnerable API not being included.

CVSS Scoring

CVSS Score

2.5

CVSS Vector


                                    CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2024-3219

WEB https://github.com/python/cpython/issues/122133

WEB https://github.com/python/cpython/pull/122134

WEB https://github.com/python/cpython/commit/f071f01b7b7e19d7d6b3a4b0ec62f820ecb14660

WEB https://github.com/python/cpython/commit/e319f774f9e766a2b92949444a2d46081df3363a

WEB https://github.com/python/cpython/commit/c5655aa6ad120d2ed7f255bebd6e8b71a9c07dde

WEB https://github.com/python/cpython/commit/c21a36112a0028d7ac3cf8f480e0dc88dba5922c

WEB https://github.com/python/cpython/commit/b252317956b7fc035bb3774ef6a177e227f9fc54

WEB https://github.com/python/cpython/commit/78df1043dbdce5c989600616f9f87b4ee72944e5

WEB https://github.com/python/cpython/commit/5f90abaa786f994db3907fc31e2ee00ea2cf0929

WEB https://github.com/python/cpython/commit/5df322e91a40909e6904bbdbc0c3a6b6a9eead39

WEB https://github.com/python/cpython/commit/3f5d9d12c74787fbf3f5891835c85cc15526c86d

WEB https://github.com/python/cpython/commit/31302f5fc24eecd693f0c8aaba7c2840b09b594d

WEB https://github.com/python/cpython/commit/2621a8a40ba4b2c68ca564671b7daa5da80a4508

WEB https://github.com/python/cpython/commit/220e31adeaaa8436c9ff234cba1398bc49e2bb6c

WEB https://github.com/python/cpython/commit/0b65c8bf5367625673eafb92f85046a1b31259f2

WEB https://github.com/python/cpython/commit/06fa244666ec6335a3b9bf2367e31b42b9a89b20

WEB https://mail.python.org/archives/list/[email protected]/thread/WYKDQWIERRE2ICIYMSVRZJO33GSCWU2B

WEB https://security.netapp.com/advisory/ntap-20250502-0004

WEB http://www.openwall.com/lists/oss-security/2024/07/29/3

Advisory provided by GitHub Security Advisory Database. Published: July 30, 2024, Modified: May 3, 2025

References

https://github.com/python/cpython/pull/122134

https://github.com/python/cpython/issues/122133

https://mail.python.org/archives/list/[email protected]/thread/WYKDQWIERRE2ICIYMSVRZJO33GSCWU2B/

http://www.openwall.com/lists/oss-security/2024/07/29/3

https://github.com/python/cpython/commit/06fa244666ec6335a3b9bf2367e31b42b9a89b20

https://github.com/python/cpython/commit/0b65c8bf5367625673eafb92f85046a1b31259f2

https://github.com/python/cpython/commit/220e31adeaaa8436c9ff234cba1398bc49e2bb6c

https://github.com/python/cpython/commit/5f90abaa786f994db3907fc31e2ee00ea2cf0929

https://github.com/python/cpython/commit/b252317956b7fc035bb3774ef6a177e227f9fc54

https://github.com/python/cpython/commit/2621a8a40ba4b2c68ca564671b7daa5da80a4508

https://github.com/python/cpython/commit/5df322e91a40909e6904bbdbc0c3a6b6a9eead39

https://github.com/python/cpython/commit/c21a36112a0028d7ac3cf8f480e0dc88dba5922c

https://github.com/python/cpython/commit/f071f01b7b7e19d7d6b3a4b0ec62f820ecb14660

https://github.com/python/cpython/commit/31302f5fc24eecd693f0c8aaba7c2840b09b594d

https://github.com/python/cpython/commit/3f5d9d12c74787fbf3f5891835c85cc15526c86d

https://github.com/python/cpython/commit/c5655aa6ad120d2ed7f255bebd6e8b71a9c07dde

https://github.com/python/cpython/commit/e319f774f9e766a2b92949444a2d46081df3363a

https://github.com/python/cpython/commit/78df1043dbdce5c989600616f9f87b4ee72944e5

HackerOne Reports

`Curl_socketpair()` fallback vulnerable to man-in-the-middle attack None

jmanojlovich

curl

Man-in-the-Middle

View Report

Published: 2024-07-29T21:54:05.830Z

Last Modified: 2025-05-02T23:02:58.327Z

Copied to clipboard!

CVE-2024-3219

Expert Analysis

Description

Available Exploits

Related News

Affected Products

CPython

Affected Versions:

GitHub Security Advisories

Advisory Details

CVSS Scoring

CVSS Score

CVSS Vector

References

References

HackerOne Reports

Request Analysis

What to expect

Request Received!