CVE-2021-3177

Python 3.x through 3.9.1 has a buffer overflow in PyCArg_repr in _ctypes/callproc.c, which may lead to remote code execution in certain Python applications that accept floating-point numbers as untrusted input, as demonstrated by a 1e300 argument to c_double.from_param. This occurs because sprintf is used unsafely.
Classic Buffer Overflow
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 7%
VendorProductVersion
pythonpython
3.6.0 ≤
𝑥
≤ 3.6.12
pythonpython
3.7.0 ≤
𝑥
≤ 3.7.9
pythonpython
3.8.0 ≤
𝑥
≤ 3.8.7
pythonpython
3.9.0 ≤
𝑥
≤ 3.9.1
netappactive_iq_unified_manager
-
netappactive_iq_unified_manager
-
netappontap_select_deploy_administration_utility
-
debiandebian_linux
9.0
oraclecommunications_cloud_native_core_network_function_cloud_native_environment
22.2.0
oraclecommunications_offline_mediation_controller
12.0.0.3.0
oraclecommunications_pricing_design_center
12.0.0.3.0
oracleenterprise_manager_ops_center
12.4.0.0
oraclezfs_storage_appliance_kit
8.8
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
python2.7
bullseye
2.7.18-8+deb11u1
fixed
stretch
no-dsa
python3.9
bullseye
3.9.2-1
fixed
stretch
no-dsa
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
python2.7
noble
dne
mantic
dne
lunar
dne
kinetic
not-affected
jammy
not-affected
impish
not-affected
hirsute
not-affected
groovy
ignored
focal
Fixed 2.7.18-1~20.04.1
released
bionic
Fixed 2.7.17-1~18.04ubuntu1.6
released
xenial
Fixed 2.7.12-1ubuntu0~16.04.18
released
trusty
Fixed 2.7.6-8ubuntu0.6+esm10
released
python3.4
noble
dne
mantic
dne
lunar
dne
kinetic
dne
jammy
dne
impish
dne
hirsute
dne
groovy
dne
focal
dne
bionic
dne
xenial
dne
trusty
Fixed 3.4.3-1ubuntu1~14.04.7+esm10
released
python3.5
noble
dne
mantic
dne
lunar
dne
kinetic
dne
jammy
dne
impish
dne
hirsute
dne
groovy
dne
focal
dne
bionic
dne
xenial
Fixed 3.5.2-2ubuntu0~16.04.13
released
trusty
Fixed 3.5.2-2ubuntu0~16.04.4~14.04.1+esm1
released
python3.6
noble
dne
mantic
dne
lunar
dne
kinetic
dne
jammy
dne
impish
dne
hirsute
dne
groovy
dne
focal
dne
bionic
Fixed 3.6.9-1~18.04ubuntu1.4
released
xenial
dne
trusty
dne
python3.7
noble
dne
mantic
dne
lunar
dne
kinetic
dne
jammy
dne
impish
dne
hirsute
dne
groovy
dne
focal
dne
bionic
Fixed 3.7.5-2~18.04.4
released
xenial
dne
trusty
dne
python3.8
noble
dne
mantic
dne
lunar
dne
kinetic
dne
jammy
dne
impish
dne
hirsute
dne
groovy
Fixed 3.8.6-1ubuntu0.2
released
focal
Fixed 3.8.5-1~20.04.2
released
bionic
Fixed 3.8.0-3~18.04.1
released
xenial
dne
trusty
dne
python3.9
noble
dne
mantic
dne
lunar
dne
kinetic
dne
jammy
dne
impish
not-affected
hirsute
not-affected
groovy
Fixed 3.9.5-3~20.10.1
released
focal
Fixed 3.9.5-3~20.04.1
released
bionic
dne
xenial
dne
trusty
dne
References