CVE-2024-3220

EUVD-2024-31812

14.02.2025, 17:15

There is a defect in the CPython standard library module “mimetypes” where on Windows the default list of known file locations are writable meaning other users can create invalid files to cause MemoryError to be raised on Python runtime startup or have file extensions be interpreted as the incorrect file type.

This defect is caused by the default locations of Linux and macOS platforms (such as “/etc/mime.types”) also being used on Windows, where they are user-writable locations (“C:\etc\mime.types”).

To work-around this issue a user can call mimetypes.init() with an empty list (“[]”) on Windows platforms to avoid using the default list of known file locations.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	UNKNOWN				---

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: 48%

Debian Releases

Debian Product

Codename

python3.11

bookworm	3.11.2-6+deb12u6 fixed
bookworm (security)	3.11.2-6+deb12u3 fixed

python3.13

forky	3.13.11-1 fixed
sid	3.13.11-1 fixed
trixie	3.13.5-2 fixed

python3.9

bullseye	3.9.2-1 fixed
bullseye (security)	3.9.2-1+deb11u3 fixed

Ubuntu Releases

Ubuntu Product

Codename

python2.7

bionic	not-affected
focal	not-affected
jammy	not-affected
noble	dne
oracular	dne
trusty	not-affected
xenial	not-affected

python3.10

focal	dne
jammy	not-affected
noble	dne
oracular	dne

python3.11

focal	dne
jammy	not-affected
noble	dne
oracular	dne

python3.12

focal	dne
jammy	dne
noble	not-affected
oracular	not-affected

python3.13

focal	dne
jammy	dne
noble	dne
oracular	not-affected

python3.4

focal	dne
jammy	dne
noble	dne
oracular	dne
trusty	not-affected

python3.5

focal	dne
jammy	dne
noble	dne
oracular	dne
trusty	not-affected
xenial	not-affected

python3.6

bionic	not-affected
focal	dne
jammy	dne
noble	dne
oracular	dne

python3.7

bionic	not-affected
focal	dne
jammy	dne
noble	dne
oracular	dne

python3.8

bionic	not-affected
focal	not-affected
jammy	dne
noble	dne
oracular	dne

python3.9

focal	not-affected
jammy	dne
noble	dne
oracular	dne

Common Weakness Enumeration

CWE-426 - Untrusted Search Path
The application searches for critical resources using an externally-supplied search path that can point to resources that are not under the application's direct control.

References

https://mail.python.org/archives/list/security-announce@python.org/thread/CDXW34ND2LSAOYAR5N6UNONP4ZBX4D6R/

http://www.openwall.com/lists/oss-security/2025/02/14/8

https://security.netapp.com/advisory/ntap-20250314-0001/