CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
EPSS
Percentile
44.2%
The version of Python installed on the remote Windows host is potentially affected by a vulnerability. Passing a path with null bytes to the os.path.normpath() function causes the returned path to be unexpectedly truncated at the first occurrence of null bytes within the path.
Note that Nessus has not tested for this issue but has instead relied only on the application’s self-reported version number.
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##
include('compat.inc');
if (description)
{
script_id(180578);
script_version("1.2");
script_set_attribute(attribute:"plugin_modification_date", value:"2023/10/16");
script_cve_id("CVE-2023-41105");
script_xref(name:"IAVA", value:"2023-A-0442");
script_name(english:"Python Untrusted Search Path (CVE-2023-41105)");
script_set_attribute(attribute:"synopsis", value:
"The remote host has an application installed that is affected by a vulnerability.");
script_set_attribute(attribute:"description", value:
"The version of Python installed on the remote Windows host is potentially affected by a vulnerability. Passing a path
with null bytes to the os.path.normpath() function causes the returned path to be unexpectedly truncated at the first
occurrence of null bytes within the path.
Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
# https://mail.python.org/archives/list/[email protected]/thread/D6CDW3ZZC5D444YGL3VQUY6D4ECMCQLD/
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?6b943c37");
script_set_attribute(attribute:"solution", value:
"Upgrade to Python 3.11.5, 3.12.0rc2 or later, apply a patch, or see workarounds.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:C/A:N");
script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N");
script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2023-41105");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2023/08/24");
script_set_attribute(attribute:"patch_publication_date", value:"2023/08/24");
script_set_attribute(attribute:"plugin_publication_date", value:"2023/09/07");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"cpe:/a:python:python");
script_set_attribute(attribute:"stig_severity", value:"I");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Windows");
script_copyright(english:"This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("python_win_installed.nbin");
script_require_keys("installed_sw/Python Software Foundation Python", "SMB/Registry/Enumerated");
exit(0);
}
include('vcf.inc');
get_kb_item_or_exit('SMB/Registry/Enumerated');
var app_info = vcf::get_app_info(app:'Python Software Foundation Python', win_local:TRUE);
# We cannot test for patch/workaround
if (report_paranoia < 2) audit(AUDIT_POTENTIAL_VULN, 'Python', app_info.display_version);
# app_info.version holds file version, like 3.7.11150.1013, which has no public translation to the version we want
# app_info.display_version holds correct version, so swap these
app_info.version = app_info.display_version;
app_info.parsed_version = vcf::parse_version(app_info.version);
var constraints = [
{'min_version':'3.11', 'fixed_version' : '3.11.5'},
{'min_version':'3.12.0rc1', 'fixed_version' : '3.12.0rc2'} # no alpha releases seen, flagging only rc1 should be fine
];
vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);