Strix
26.1K

CVE-2022-42919

HIGHCVSS 7.8/10EPSS 0.60%

Last modified

CVE-2022-42919 is a high-severity vulnerability rated 7.8/10 on the CVSS scale. Python 3.9.x before 3.9.16 and 3.10.x before 3.10.9 on Linux allows local privilege escalation in a non-default configuration. The Python multiprocessing library, when used with the forkserver start method on Linux, allows pickles to be deserialized from any user in the same machine local network namespace, which in many system configurations means any user on the same machine. EPSS estimates a 0.60% chance of exploitation in the next 30 days.

Description

Python 3.9.x before 3.9.16 and 3.10.x before 3.10.9 on Linux allows local privilege escalation in a non-default configuration. The Python multiprocessing library, when used with the forkserver start method on Linux, allows pickles to be deserialized from any user in the same machine local network namespace, which in many system configurations means any user on the same machine. Pickles can execute arbitrary code. Thus, this allows for local user privilege escalation to the user that any forkserver process is running as. Setting multiprocessing.util.abstract_sockets_supported to False is a workaround. The forkserver start method for multiprocessing is not the default start method. This issue is Linux specific because only Linux supports abstract namespace sockets. CPython before 3.9 does not make use of Linux abstract namespace sockets by default. Support for users manually specifying an abstract namespace socket was added as a bugfix in 3.7.8 and 3.8.3, but users would need to make specific uncommon API calls in order to do that in CPython before 3.9.

Metrics

CVSS 3.1
7.8/10

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Probability
0.60%

44.3th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

VendorProductVersions
PythonPython>= 3.7.3, <= 3.7.15
PythonPython>= 3.8.3, <= 3.8.15
PythonPython>= 3.9.0, < 3.9.16
PythonPython>= 3.10.0, < 3.10.9
FedoraprojectFedora35
FedoraprojectFedora36
FedoraprojectFedora37

References

Timeline

Published
Last Modified
Status
Modified

Frequently Asked Questions

What is CVE-2022-42919?
Python 3.9.x before 3.9.16 and 3.10.x before 3.10.9 on Linux allows local privilege escalation in a non-default configuration. The Python multiprocessing library, when used with the forkserver start method on Linux, allows pickles to be deserialized from any user in the same machine local network namespace, which in many system configurations means any user on the same machine. Pickles can execute arbitrary code. Thus, this allows for local user privilege escalation to the user that any forkserver process is running as. Setting multiprocessing.util.abstract_sockets_supported to False is a workaround. The forkserver start method for multiprocessing is not the default start method. This issue is Linux specific because only Linux supports abstract namespace sockets. CPython before 3.9 does not make use of Linux abstract namespace sockets by default. Support for users manually specifying an abstract namespace socket was added as a bugfix in 3.7.8 and 3.8.3, but users would need to make specific uncommon API calls in order to do that in CPython before 3.9.
How severe is CVE-2022-42919?
CVE-2022-42919 has a CVSS score of 7.8/10 (HIGH severity). The EPSS model estimates a 0.60% probability of exploitation in the next 30 days.
How do I fix CVE-2022-42919?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2022-42919?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST