CVE-2020-15523

In Python 3.6 through 3.6.10, 3.7 through 3.7.8, 3.8 through 3.8.4rc1, and 3.9 through 3.9.0b4 on Windows, a Trojan horse python3.dll might be used in cases where CPython is embedded in a native application. This occurs because python3X.dll may use an invalid search path for python3.dll loading (after Py_SetPath has been used). NOTE: this issue CANNOT occur when using python.exe from a standard (non-embedded) Python installation on Windows.

References

Affected packages

Git / github.com/python/cpython

Affected ranges

Type

GIT

Repo

https://github.com/python/cpython

Events

Introduced

2e789a1f1d84b343a996e8654590703b5fbdd441

Fixed

426b022776672fdf3d71ddd98d89af341c88080f

Introduced

5c4568a05a0a62b5947c55f68f9f2ecfb90a4f12

Fixed

c0a9afe2ac1820409e6173bd1893ebee2cf50270

Introduced

1bf9cc509326bc42cd8cb1650eb9bf64550d817e

Fixed

13c94747c74437e594b7fc242ff7da668e81887c

Introduced

fa919fdf2583bdfead1df00e842f24f30b2a34bf

Fixed

dfa645a65ec0788d98851130a217e029d1cc4e9b

Introduced

Last affected

6c38841c08edd6b0727903ec3f1acd10dc9766f6

Database specific

{
    "versions": [
        {
            "introduced": "3.5.0"
        },
        {
            "fixed": "3.5.10"
        },
        {
            "introduced": "3.6.0"
        },
        {
            "fixed": "3.6.12"
        },
        {
            "introduced": "3.7.0"
        },
        {
            "fixed": "3.7.9"
        },
        {
            "introduced": "3.8.0"
        },
        {
            "fixed": "3.8.4"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "3.8.4-rc1"
        }
    ]
}

Database specific

unresolved_ranges

[
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "3.9.0-alpha1"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "3.9.0-alpha2"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "3.9.0-alpha3"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "3.9.0-alpha4"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "3.9.0-alpha5"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "3.9.0-alpha6"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "3.9.0-beta1"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "3.9.0-beta2"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "3.9.0-beta3"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "3.9.0-beta4"
            }
        ]
    }
]

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-15523.json"