CVE-2021-3177

Python 3.x through 3.9.1 has a buffer overflow in PyCArg_repr in _ctypes/callproc.c, which may lead to remote code execution in certain Python applications that accept floating-point numbers as untrusted input, as demonstrated by a 1e300 argument to c_double.from_param. This occurs because sprintf is used unsafely.
Classic Buffer Overflow
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 7%
VendorProductVersion
pythonpython
3.6.0 ≤
𝑥
≤ 3.6.12
pythonpython
3.7.0 ≤
𝑥
≤ 3.7.9
pythonpython
3.8.0 ≤
𝑥
≤ 3.8.7
pythonpython
3.9.0 ≤
𝑥
≤ 3.9.1
netappactive_iq_unified_manager
-
netappactive_iq_unified_manager
-
netappontap_select_deploy_administration_utility
-
debiandebian_linux
9.0
oraclecommunications_cloud_native_core_network_function_cloud_native_environment
22.2.0
oraclecommunications_offline_mediation_controller
12.0.0.3.0
oraclecommunications_pricing_design_center
12.0.0.3.0
oracleenterprise_manager_ops_center
12.4.0.0
oraclezfs_storage_appliance_kit
8.8
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
python2.7
bullseye
2.7.18-8+deb11u1
fixed
stretch
no-dsa
python3.9
bullseye
3.9.2-1
fixed
stretch
no-dsa
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
python2.7
noble
dne
mantic
dne
lunar
dne
kinetic
not-affected
jammy
not-affected
impish
not-affected
hirsute
not-affected
groovy
ignored
focal
Fixed 2.7.18-1~20.04.1
released
bionic
Fixed 2.7.17-1~18.04ubuntu1.6
released
xenial
Fixed 2.7.12-1ubuntu0~16.04.18
released
trusty
Fixed 2.7.6-8ubuntu0.6+esm10
released
python3.4
noble
dne
mantic
dne
lunar
dne
kinetic
dne
jammy
dne
impish
dne
hirsute
dne
groovy
dne
focal
dne
bionic
dne
xenial
dne
trusty
Fixed 3.4.3-1ubuntu1~14.04.7+esm10
released
python3.5
noble
dne
mantic
dne
lunar
dne
kinetic
dne
jammy
dne
impish
dne
hirsute
dne
groovy
dne
focal
dne
bionic
dne
xenial
Fixed 3.5.2-2ubuntu0~16.04.13
released
trusty
Fixed 3.5.2-2ubuntu0~16.04.4~14.04.1+esm1
released
python3.6
noble
dne
mantic
dne
lunar
dne
kinetic
dne
jammy
dne
impish
dne
hirsute
dne
groovy
dne
focal
dne
bionic
Fixed 3.6.9-1~18.04ubuntu1.4
released
xenial
dne
trusty
dne
python3.7
noble
dne
mantic
dne
lunar
dne
kinetic
dne
jammy
dne
impish
dne
hirsute
dne
groovy
dne
focal
dne
bionic
Fixed 3.7.5-2~18.04.4
released
xenial
dne
trusty
dne
python3.8
noble
dne
mantic
dne
lunar
dne
kinetic
dne
jammy
dne
impish
dne
hirsute
dne
groovy
Fixed 3.8.6-1ubuntu0.2
released
focal
Fixed 3.8.5-1~20.04.2
released
bionic
Fixed 3.8.0-3~18.04.1
released
xenial
dne
trusty
dne
python3.9
noble
dne
mantic
dne
lunar
dne
kinetic
dne
jammy
dne
impish
not-affected
hirsute
not-affected
groovy
Fixed 3.9.5-3~20.10.1
released
focal
Fixed 3.9.5-3~20.04.1
released
bionic
dne
xenial
dne
trusty
dne
Common Weakness Enumeration
References
https://bugs.python.org/issue42938
https://github.com/python/cpython/pull/24239
https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772%40%3Cdev.mina.apache.org%3E
https://lists.debian.org/debian-lts-announce/2021/04/msg00005.html
https://lists.debian.org/debian-lts-announce/2022/02/msg00013.html
https://lists.debian.org/debian-lts-announce/2023/05/msg00024.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BRHOCQYX3QLDGDQGTWQAUUT2GGIZCZUO/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CCFZMVRQUKCBQIG5F2CBVADK63NFSE4A/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FONHJIOZOFD7CD35KZL6SVBUTMBPGZGA/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FPE7SMXYUIWPOIZV4DQYXODRXMFX3C5E/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HCQTCSP6SCVIYNIRUJC5X7YBVUHPLSC4/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MGSV6BJQLRQ6RKVUXK7JGU7TP4QFGQXC/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MP572OLHMS7MZO4KUPSCIMSZIA5IZZ62/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NODWHDIFBQE5RU5PUWUVE47JOT5VCMJ2/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NQPARTLNSFQVMMQHPNBFOCOZOO3TMQNA/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NXSMBHES3ANXXS2RSO5G6Q24BR4B2PWK/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/V6XJAULOS5JVB2L67NCKKMJ5NTKZJBSD/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Y4KSYYWMGAKOA2JVCQA422OINT6CKQ7O/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YDTZVGSXQ7HR7OCGSUHTRNTMBG43OMKU/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Z7GZV74KM72O2PEJN2C4XP3V5Q5MZUOO/
https://news.ycombinator.com/item?id=26185005
https://python-security.readthedocs.io/vuln/ctypes-buffer-overflow-pycarg_repr.html
https://security.gentoo.org/glsa/202101-18
https://security.netapp.com/advisory/ntap-20210226-0003/
https://www.oracle.com//security-alerts/cpujul2021.html
https://www.oracle.com/security-alerts/cpujan2022.html
https://www.oracle.com/security-alerts/cpujul2022.html
https://www.oracle.com/security-alerts/cpuoct2021.html
https://bugs.python.org/issue42938
https://github.com/python/cpython/pull/24239
https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772%40%3Cdev.mina.apache.org%3E
https://lists.debian.org/debian-lts-announce/2021/04/msg00005.html
https://lists.debian.org/debian-lts-announce/2022/02/msg00013.html
https://lists.debian.org/debian-lts-announce/2023/05/msg00024.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BRHOCQYX3QLDGDQGTWQAUUT2GGIZCZUO/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CCFZMVRQUKCBQIG5F2CBVADK63NFSE4A/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FONHJIOZOFD7CD35KZL6SVBUTMBPGZGA/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FPE7SMXYUIWPOIZV4DQYXODRXMFX3C5E/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HCQTCSP6SCVIYNIRUJC5X7YBVUHPLSC4/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MGSV6BJQLRQ6RKVUXK7JGU7TP4QFGQXC/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MP572OLHMS7MZO4KUPSCIMSZIA5IZZ62/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NODWHDIFBQE5RU5PUWUVE47JOT5VCMJ2/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NQPARTLNSFQVMMQHPNBFOCOZOO3TMQNA/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NXSMBHES3ANXXS2RSO5G6Q24BR4B2PWK/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/V6XJAULOS5JVB2L67NCKKMJ5NTKZJBSD/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Y4KSYYWMGAKOA2JVCQA422OINT6CKQ7O/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YDTZVGSXQ7HR7OCGSUHTRNTMBG43OMKU/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Z7GZV74KM72O2PEJN2C4XP3V5Q5MZUOO/
https://news.ycombinator.com/item?id=26185005
https://python-security.readthedocs.io/vuln/ctypes-buffer-overflow-pycarg_repr.html
https://security.gentoo.org/glsa/202101-18
https://security.netapp.com/advisory/ntap-20210226-0003/
https://www.oracle.com//security-alerts/cpujul2021.html
https://www.oracle.com/security-alerts/cpujan2022.html
https://www.oracle.com/security-alerts/cpujul2022.html
https://www.oracle.com/security-alerts/cpuoct2021.html