First published: Tue Nov 26 2019(Updated: )
typed_ast 1.3.0 and 1.3.1 has an ast_for_arguments out-of-bounds read. An attacker with the ability to cause a Python interpreter to parse Python source (but not necessarily execute it) may be able to crash the interpreter process. This could be a concern, for example, in a web-based service that parses (but does not execute) Python code. (This issue also affected certain Python 3.8.0-alpha prereleases.)
Credit: cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
Python Typed Ast | =1.3.0 | |
Python Typed Ast | =1.3.1 | |
pip/typed-ast | >=1.3.0<=1.3.1 | 1.3.2 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2019-19275 has been assigned a moderate severity level due to its potential to crash the Python interpreter.
To mitigate CVE-2019-19275, upgrade typed_ast to version 1.3.2 or later.
CVE-2019-19275 affects typed_ast versions 1.3.0 and 1.3.1.
CVE-2019-19275 could allow an attacker to cause an out-of-bounds read, potentially crashing the interpreter process.
CVE-2019-19275 can be exploited if an attacker can cause a Python interpreter to parse malicious Python source code.