Vulnerability Details : CVE-2023-6507
An issue was found in CPython 3.12.0 `subprocess` module on POSIX platforms. The issue was fixed in CPython 3.12.1 and does not affect other stable releases.
When using the `extra_groups=` parameter with an empty list as a value (ie `extra_groups=[]`) the logic regressed to not call `setgroups(0, NULL)` before calling `exec()`, thus not dropping the original processes' groups before starting the new process. There is no issue when the parameter isn't used or when any value is used besides an empty list.
This issue only impacts CPython processes run with sufficient privilege to make the `setgroups` system call (typically `root`).
Products affected by CVE-2023-6507
- cpe:2.3:a:python:python:3.12.0:-:*:*:*:*:*:*
- cpe:2.3:a:python:python:3.13.0:alpha1:*:*:*:*:*:*
- cpe:2.3:a:python:python:3.13.0:alpha2:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2023-6507
0.09%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 38 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2023-6507
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
6.1
|
MEDIUM | CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N |
0.9
|
5.2
|
Python Software Foundation | |
4.9
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N |
1.2
|
3.6
|
NIST |
CWE ids for CVE-2023-6507
-
The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.Assigned by: cna@python.org (Secondary)
References for CVE-2023-6507
-
https://github.com/python/cpython/commit/85bbfa8a4bbdbb61a3a84fbd7cb29a4096ab8a06
[3.12] gh-112334: Restore subprocess's use of `vfork()` & fix `extra_… · python/cpython@85bbfa8 · GitHub
-
https://mail.python.org/archives/list/security-announce@python.org/thread/AUL7QFHBLILGISS7U63B47AYSSGJJQZD/
Mailman 3 [CVE-2023-6507] Groups not dropped before running subprocess when using empty 'extra_groups' parameter - Security-announce - python.orgThird Party Advisory
-
https://github.com/python/cpython/commit/10e9bb13b8dcaa414645b9bd10718d8f7179e82b
gh-112334: Regression test that vfork is used when expected. (#112734) · python/cpython@10e9bb1 · GitHub
-
https://github.com/python/cpython/issues/112334
subprocess.Popen: Performance regression on Linux since 124af17b6e · Issue #112334 · python/cpython · GitHubIssue Tracking;Patch
-
https://github.com/python/cpython/commit/9fe7655c6ce0b8e9adc229daf681b6d30e6b1610
gh-112334: Restore subprocess's use of `vfork()` & fix `extra_groups=… · python/cpython@9fe7655 · GitHub
-
https://github.com/python/cpython/pull/112617
gh-112334: Restore subprocess's use of `vfork()` & fix `extra_groups=[]` behavior by gpshead · Pull Request #112617 · python/cpython · GitHubIssue Tracking;Patch
Jump to