CVE-2021-3177

moderate-risk

Published 2021-01-19

Python 3.x through 3.9.1 has a buffer overflow in PyCArg_repr in _ctypes/callproc.c, which may lead to remote code execution in certain Python applications that accept floating-point numbers as untrusted input, as demonstrated by a 1e300 argument to c_double.from_param. This occurs because sprintf is used unsafely.

Do I need to act?

0.07% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 9.8/10 Critical

NETWORK / LOW complexity

Affected Products (12)

Python

Fedora

Active Iq Unified Manager

Ontap Select Deploy Administration Utility

Debian Linux

Communications Cloud Native Core Network Function Cloud Native Environment

Communications Offline Mediation Controller

Communications Pricing Design Center

Enterprise Manager Ops Center

Zfs Storage Appliance Kit

Affected Vendors

Debian Oracle Python Fedoraproject Netapp

References (56)

Exploit https://bugs.python.org/issue42938

Patch https://github.com/python/cpython/pull/24239

https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430...

Mailing List https://lists.debian.org/debian-lts-announce/2021/04/msg00005.html

Mailing List https://lists.debian.org/debian-lts-announce/2022/02/msg00013.html

https://lists.debian.org/debian-lts-announce/2023/05/msg00024.html

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro...

and 36 more references

/ 100

moderate-risk

Severity 32/34 · Critical

Exploitability 0/34 · Minimal

Exposure 17/34 · Moderate