1. Home
  2. CVE Database
  3. CVE-2023-6507
MEDIUM · 6.1

CVE-2023-6507

An issue was found in CPython 3.12.0 `subprocess` module on POSIX platforms. The issue was fixed in CPython 3.12.1 and does not affect other stable releases. When using the `extra_groups=` parameter ...

Vulnerability Description

An issue was found in CPython 3.12.0 `subprocess` module on POSIX platforms. The issue was fixed in CPython 3.12.1 and does not affect other stable releases. When using the `extra_groups=` parameter with an empty list as a value (ie `extra_groups=[]`) the logic regressed to not call `setgroups(0, NULL)` before calling `exec()`, thus not dropping the original processes' groups before starting the new process. There is no issue when the parameter isn't used or when any value is used besides an empty list. This issue only impacts CPython processes run with sufficient privilege to make the `setgroups` system call (typically `root`).

CVSS Score

6.1

MEDIUM

CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N
Attack Vector
ADJACENT_NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
HIGH
Integrity
HIGH
Availability
NONE

Affected Products

VendorProductVersions
PythonPython3.12.0

Related Weaknesses (CWE)

CWE-269

References

FAQ

What is CVE-2023-6507?

CVE-2023-6507 is a vulnerability with a CVSS score of 6.1 (MEDIUM). An issue was found in CPython 3.12.0 `subprocess` module on POSIX platforms. The issue was fixed in CPython 3.12.1 and does not affect other stable releases. When using the `extra_groups=` parameter ...

How severe is CVE-2023-6507?

CVE-2023-6507 has been rated MEDIUM with a CVSS base score of 6.1/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2023-6507?

Check the references section above for vendor advisories and patch information. Affected products include: Python Python.