CVE-2019-19274 – typed-ast

Package

Manager: pip
Name: typed-ast
Vulnerable Version: >=1.3.0 <1.3.2

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

EPSS: 0.0136 pctl0.79431

Details

typed-ast Out-of-bounds Read typed_ast 1.3.0 and 1.3.1 has a handle_keywordonly_args out-of-bounds read. An attacker with the ability to cause a Python interpreter to parse Python source (but not necessarily execute it) may be able to crash the interpreter process. This could be a concern, for example, in a web-based service that parses (but does not execute) Python code. (This issue also affected certain Python 3.8.0-alpha prereleases.)

Metadata

Created: 2019-12-02T18:02:02Z
Modified: 2024-09-09T21:35:17Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/12/GHSA-m3jw-62m7-jjcm/GHSA-m3jw-62m7-jjcm.json
CWE IDs: ["CWE-125"]
Alternative ID: GHSA-m3jw-62m7-jjcm
Finding: F111
Auto approve: 1