CVE-2023-41105

MITRE NVD CVE.ORG Print: PDF PDF

Summary

CVECVE-2023-41105
StatePUBLIC
Assigner[email protected]
Source PriorityCVE Program / NVD first with legacy fallback
Published2023-08-23 07:15:00 UTC
Updated2023-11-07 04:20:00 UTC
DescriptionAn issue was discovered in Python 3.11 through 3.11.4. If a path containing '\0' bytes is passed to os.path.normpath(), the path will be truncated unexpectedly at the first '\0' byte. There are plausible cases in which an application would have rejected a filename for security reasons in Python 3.10.x or earlier, but that filename is no longer rejected in Python 3.11.x.

Risk And Classification

Problem Types: CWE-426

NVD Known Affected Configurations (CPE 2.3)

TypeVendorProductVersionUpdateEditionLanguage
Application Netapp Active Iq Unified Manager - All All All
Application Python Python All All All All

References

ReferenceSourceLinkTags
[3.11] gh-106242: Fix path truncation in os.path.normpath (GH-106816) by zooba · Pull Request #107982 · python/cpython · GitHub MISC github.com
Mailman 3 [CVE-2023-41105] os.path.normpath() truncates on null bytes - Security-announce - python.org CONFIRM mail.python.org
gh-106242: Minor fixup to avoid compiler warnings by zooba · Pull Request #107983 · python/cpython · GitHub MISC github.com
Mailman 3 [CVE-2023-41105] os.path.normpath() truncates on null bytes - Security-announce - python.org mail.python.org
os.path.normpath truncates input on null bytes in 3.11, but not 3.10 · Issue #106242 · python/cpython · GitHub MISC github.com
CVE-2023-41105 Python Vulnerability in NetApp Products | NetApp Product Security CONFIRM security.netapp.com
[3.12] gh-106242: Fix path truncation in os.path.normpath (GH-106816) by zooba · Pull Request #107981 · python/cpython · GitHub MISC github.com
CVE Program record CVE.ORG www.cve.org canonical
NVD vulnerability detail NVD nvd.nist.gov canonical, analysis

Legacy QID Mappings

  • 161128 Oracle Enterprise Linux Security Update for python3.11 (ELSA-2023-6494)
  • 161148 Oracle Enterprise Linux Security Update for python3.11 (ELSA-2023-7024)
  • 199992 Ubuntu Security Notification for Python Vulnerability (USN-6547-1)
  • 242304 Red Hat Update for python3.11 (RHSA-2023:6494)
  • 242412 Red Hat Update for python3.11 (RHSA-2023:7024)
  • 296105 Oracle Solaris 11.4 Support Repository Update (SRU) 63.157.1 Missing (CPUOCT2023)
  • 755009 SUSE Enterprise Linux Security Update for python3 (SUSE-SU-2023:3939-1)
  • 755025 SUSE Enterprise Linux Security Update for python311 (SUSE-SU-2023:3943-1)
  • 941365 AlmaLinux Security Update for python3.11 (ALSA-2023:6494)
  • 941427 AlmaLinux Security Update for python3.11 (ALSA-2023:7024)
© CVE.report 2026 |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

CVE.report and Source URL Uptime Status status.cve.report