Vulnerability Details : CVE-2022-42919
Python 3.9.x before 3.9.16 and 3.10.x before 3.10.9 on Linux allows local privilege escalation in a non-default configuration. The Python multiprocessing library, when used with the forkserver start method on Linux, allows pickles to be deserialized from any user in the same machine local network namespace, which in many system configurations means any user on the same machine. Pickles can execute arbitrary code. Thus, this allows for local user privilege escalation to the user that any forkserver process is running as. Setting multiprocessing.util.abstract_sockets_supported to False is a workaround. The forkserver start method for multiprocessing is not the default start method. This issue is Linux specific because only Linux supports abstract namespace sockets. CPython before 3.9 does not make use of Linux abstract namespace sockets by default. Support for users manually specifying an abstract namespace socket was added as a bugfix in 3.7.8 and 3.8.3, but users would need to make specific uncommon API calls in order to do that in CPython before 3.9.
Vulnerability category: Execute codeGain privilege
Products affected by CVE-2022-42919
- cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*
- cpe:2.3:a:python:python:*:*:*:*:*:*:*:*
- cpe:2.3:a:python:python:*:*:*:*:*:*:*:*
- cpe:2.3:a:python:python:*:*:*:*:*:*:*:*
- cpe:2.3:a:python:python:*:*:*:*:*:*:*:*
Threat overview for CVE-2022-42919
Top countries where our scanners detected CVE-2022-42919
Top open port discovered on systems with this issue
22
IPs affected by CVE-2022-42919 198,597
Threat actors abusing to this issue?
Yes
Find out if you* are
affected by CVE-2022-42919!
*Directly or indirectly through your vendors, service providers and 3rd parties.
Powered by
attack surface intelligence
from SecurityScorecard.
Exploit prediction scoring system (EPSS) score for CVE-2022-42919
0.02%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 4 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2022-42919
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
7.8
|
HIGH | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
1.8
|
5.9
|
134c704f-9b21-4f2e-91b3-4a467353bcc0 | 2025-05-02 |
|
7.8
|
HIGH | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
1.8
|
5.9
|
NIST |
CWE ids for CVE-2022-42919
-
The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.Assigned by: 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)
References for CVE-2022-42919
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/R6KGIRHSENZ4QAB234Z36HVIDTRJ3MFI/
[SECURITY] Fedora 35 Update: python3.10-3.10.8-3.fc35 - package-announce - Fedora Mailing-ListsThird Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QLUGZSEAO3MBWGKCUSMKQIRYJZKJCIOB/
[SECURITY] Fedora 37 Update: pypy3.9-7.3.11-1.3.9.fc37 - package-announce - Fedora Mailing-ListsThird Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VCRKBB5Y5EWTJUNC7LK665WO64DDXSTN/
503 Backend fetch failedMailing List;Third Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XX6LLAXGZVZ327REY6MDZRMMP47LJ53P/
[SECURITY] Fedora 37 Update: python3.10-3.10.8-3.fc37 - package-announce - Fedora Mailing-ListsThird Party Advisory
-
https://github.com/python/cpython/issues/97514#issuecomment-1310277840
Linux specific local privilege escalation via the multiprocessing forkserver start method - CVE-2022-42919 · Issue #97514 · python/cpython · GitHubThird Party Advisory
-
https://github.com/python/cpython/compare/v3.9.15...v3.9.16
Comparing v3.9.15...v3.9.16 · python/cpython · GitHubRelease Notes
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FKGCQPIVHEAIJ77R3RSNSQWYBUDVWDKU/
[SECURITY] Fedora 36 Update: python3.9-3.9.15-3.fc36 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P2LHWWEI5OBQ6RELULMVU6KMDYG4WZXH/
[SECURITY] Fedora 36 Update: python3.10-3.10.8-3.fc36 - package-announce - Fedora Mailing-ListsThird Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QLUGZSEAO3MBWGKCUSMKQIRYJZKJCIOB/
[SECURITY] Fedora 37 Update: pypy3.9-7.3.11-1.3.9.fc37 - package-announce - Fedora Mailing-Lists
-
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XX6LLAXGZVZ327REY6MDZRMMP47LJ53P/
[SECURITY] Fedora 37 Update: python3.10-3.10.8-3.fc37 - package-announce - Fedora Mailing-Lists
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RDK3ZZBRYFO47ET3N4BNTKVXN47U6ICY/
[SECURITY] Fedora 36 Update: pypy3.9-7.3.11-1.3.9.fc36 - package-announce - Fedora Mailing-ListsThird Party Advisory
-
https://github.com/python/cpython/compare/v3.10.8...v3.10.9
Comparing v3.10.8...v3.10.9 · python/cpython · GitHubRelease Notes
-
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PI5DYIED6U26BGX5IRZWNCP6TY4M2ZGZ/
[SECURITY] Fedora 35 Update: python3.9-3.9.15-2.fc35 - package-announce - Fedora Mailing-Lists
-
https://security.netapp.com/advisory/ntap-20221209-0006/
CVE-2022-42919 Python Vulnerability in NetApp Products | NetApp Product SecurityThird Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/P2LHWWEI5OBQ6RELULMVU6KMDYG4WZXH/
[SECURITY] Fedora 36 Update: python3.10-3.10.8-3.fc36 - package-announce - Fedora Mailing-Lists
-
https://security.gentoo.org/glsa/202305-02
Python, PyPy3: Multiple Vulnerabilities (GLSA 202305-02) — Gentoo security
-
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FKGCQPIVHEAIJ77R3RSNSQWYBUDVWDKU/
[SECURITY] Fedora 36 Update: python3.9-3.9.15-3.fc36 - package-announce - Fedora Mailing-Lists
-
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RDK3ZZBRYFO47ET3N4BNTKVXN47U6ICY/
[SECURITY] Fedora 36 Update: pypy3.9-7.3.11-1.3.9.fc36 - package-announce - Fedora Mailing-Lists
-
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/R6KGIRHSENZ4QAB234Z36HVIDTRJ3MFI/
[SECURITY] Fedora 35 Update: python3.10-3.10.8-3.fc35 - package-announce - Fedora Mailing-Lists
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PI5DYIED6U26BGX5IRZWNCP6TY4M2ZGZ/
503 Backend fetch failedMailing List;Third Party Advisory
-
https://github.com/python/cpython/issues/97514
Linux specific local privilege escalation via the multiprocessing forkserver start method - CVE-2022-42919 · Issue #97514 · python/cpython · GitHubThird Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VCRKBB5Y5EWTJUNC7LK665WO64DDXSTN/
[SECURITY] Fedora 37 Update: python3.9-3.9.15-2.fc37 - package-announce - Fedora Mailing-Lists
Jump to