Lack of data validation - Path Traversal In python3.11
Description
An issue was discovered in Python 3.11 through 3.11.4. If a path containing '\0' bytes is passed to os.path.normpath(), the path will be truncated unexpectedly at the first '\0' byte. There are plausible cases in which an application would have rejected a filename for security reasons in Python 3.10.x or earlier, but that filename is no longer rejected in Python 3.11.x.
Mitigation
Update Impact
Minimal update. May introduce new vulnerabilities or breaking changes.
Ecosystem | Package | Affected version | Patched versions |
|---|---|---|---|
 debian 12 | 3.11.2-6+deb12u2 | ||
 rpm rhel8 | 0:3.11.5-1.el8_9 | ||
rpm rhel9 | 0:3.11.5-1.el9_3 |
Aliases
1. 2. 3. 4. 5.