CVE-2020-15523
Summary
| CVE | CVE-2020-15523 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2020-07-04 23:15:00 UTC |
| Updated | 2022-07-05 18:54:00 UTC |
| Description | In Python 3.6 through 3.6.10, 3.7 through 3.7.8, 3.8 through 3.8.4rc1, and 3.9 through 3.9.0b4 on Windows, a Trojan horse python3.dll might be used in cases where CPython is embedded in a native application. This occurs because python3X.dll may use an invalid search path for python3.dll loading (after Py_SetPath has been used). NOTE: this issue CANNOT occur when using python.exe from a standard (non-embedded) Python installation on Windows. |
Risk And Classification
Problem Types: CWE-427 | CWE-908
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Operating System | Microsoft | Windows | - | All | All | All |
| Operating System | Microsoft | Windows | - | All | All | All |
| Application | Netapp | Snapcenter | - | All | All | All |
| Application | Python | Python | All | All | All | All |
| Application | Python | Python | 3.8.4 | rc1 | All | All |
| Application | Python | Python | 3.9.0 | alpha1 | All | All |
| Application | Python | Python | 3.9.0 | alpha2 | All | All |
| Application | Python | Python | 3.9.0 | alpha3 | All | All |
| Application | Python | Python | 3.9.0 | alpha4 | All | All |
| Application | Python | Python | 3.9.0 | alpha5 | All | All |
| Application | Python | Python | 3.9.0 | alpha6 | All | All |
| Application | Python | Python | 3.9.0 | beta1 | All | All |
| Application | Python | Python | 3.9.0 | beta2 | All | All |
| Application | Python | Python | 3.9.0 | beta3 | All | All |
| Application | Python | Python | 3.9.0 | beta4 | All | All |
| Application | Python | Python | 3.8.4 | rc1 | All | All |
| Application | Python | Python | 3.9.0 | alpha1 | All | All |
| Application | Python | Python | 3.9.0 | alpha2 | All | All |
| Application | Python | Python | 3.9.0 | alpha3 | All | All |
| Application | Python | Python | 3.9.0 | alpha4 | All | All |
| Application | Python | Python | 3.9.0 | alpha5 | All | All |
| Application | Python | Python | 3.9.0 | alpha6 | All | All |
| Application | Python | Python | 3.9.0 | beta1 | All | All |
| Application | Python | Python | 3.9.0 | beta2 | All | All |
| Application | Python | Python | 3.9.0 | beta3 | All | All |
| Application | Python | Python | 3.9.0 | beta4 | All | All |
| Application | Python | Python | All | All | All | All |
| Application | Python | Python | All | All | All | All |
| Application | Python | Python | All | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| bpo-29778: Ensure python3.dll is loaded from correct locations when Python is embedded by zooba · Pull Request #21297 · python/cpython · GitHub | MISC | github.com | Patch, Third Party Advisory |
| Issue 29778: [CVE-2020-15523] _Py_CheckPython3 uses uninitialized dllpath when embedder sets module path with Py_SetPath - Python tracker | MISC | bugs.python.org | Issue Tracking, Patch, Vendor Advisory |
| CVE-2020-15523 Python Vulnerability in NetApp Products | NetApp Product Security | CONFIRM | security.netapp.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
Legacy QID Mappings
- 690464 Free Berkeley Software Distribution (FreeBSD) Security Update for python (2cb21232-fb32-11ea-a929-a4bf014bf5f7)
- 690477 Free Berkeley Software Distribution (FreeBSD) Security Update for python (3fcb70a4-e22d-11ea-98b2-080027846a02)
- 690479 Free Berkeley Software Distribution (FreeBSD) Security Update for python (a9eeb3a3-ca5e-11ea-930b-080027846a02)