Vulnerability Description
An issue was discovered in Python 3.11 through 3.11.4. If a path containing '\0' bytes is passed to os.path.normpath(), the path will be truncated unexpectedly at the first '\0' byte. There are plausible cases in which an application would have rejected a filename for security reasons in Python 3.10.x or earlier, but that filename is no longer rejected in Python 3.11.x.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Python | Python | >= 3.11.0, <= 3.11.4 |
| Netapp | Active Iq Unified Manager | - |
Related Weaknesses (CWE)
References
- https://github.com/python/cpython/issues/106242Issue TrackingPatch
- https://github.com/python/cpython/pull/107981Patch
- https://github.com/python/cpython/pull/107982Patch
- https://github.com/python/cpython/pull/107983Patch
- https://mail.python.org/archives/list/security-announce%40python.org/thread/D6CD
- https://security.netapp.com/advisory/ntap-20231006-0015/Third Party Advisory
- https://github.com/python/cpython/issues/106242Issue TrackingPatch
- https://github.com/python/cpython/pull/107981Patch
- https://github.com/python/cpython/pull/107982Patch
- https://github.com/python/cpython/pull/107983Patch
- https://mail.python.org/archives/list/security-announce%40python.org/thread/D6CD
- https://security.netapp.com/advisory/ntap-20231006-0015/Third Party Advisory
FAQ
What is CVE-2023-41105?
CVE-2023-41105 is a vulnerability with a CVSS score of 7.5 (HIGH). An issue was discovered in Python 3.11 through 3.11.4. If a path containing '\0' bytes is passed to os.path.normpath(), the path will be truncated unexpectedly at the first '\0' byte. There are plausi...
How severe is CVE-2023-41105?
CVE-2023-41105 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2023-41105?
Check the references section above for vendor advisories and patch information. Affected products include: Python Python, Netapp Active Iq Unified Manager.