What is CVE-2022-48566?

CVE-2022-48566 is a vulnerability discovered in Python through 3.9.1 that allows for constant-time-defeating optimizations in the accumulator variable of hmac.compare_digest.

How severe is CVE-2022-48566?

CVE-2022-48566 has a severity score of 8.1, which is classified as high.

What software is affected by CVE-2022-48566?

Python versions 3.6.0 through 3.9.1 are affected. Additionally, specific versions of Python 2.7 and 3.5 for Ubuntu and Python 2.7, 3.7, and 3.9 for Debian are also affected.

How can I fix CVE-2022-48566?

To fix CVE-2022-48566, update your Python installation to the latest patched version available for your operating system.

Where can I find more information about CVE-2022-48566?

More information about CVE-2022-48566 can be found at the following references: [1] [2] [3]

Vulnerability/
CVE-2022-48566

medium

5.9

CWE

362

22/8/2023

13/10/2023

CVE-2022-48566: Race Condition

First published: Tue Aug 22 2023(Updated: )

An issue was discovered in compare_digest in Lib/hmac.py in Python through 3.9.1. Constant-time-defeating optimisations were possible in the accumulator variable in hmac.compare_digest.

Credit: cve@mitre.org cve@mitre.org cve@mitre.org

Affected Software	Affected Version	How to fix
debian/python2.7	<=2.7.16-2+deb10u1	2.7.16-2+deb10u4 2.7.18-8+deb11u1
debian/python3.7	<=3.7.3-2+deb10u3	3.7.3-2+deb10u7
debian/python3.9		3.9.2-1
ubuntu/python2.7	<2.7.17-1~18.04ubuntu1.13+	2.7.17-1~18.04ubuntu1.13+
ubuntu/python2.7	<2.7.12-1ubuntu0~16.04.18+	2.7.12-1ubuntu0~16.04.18+
ubuntu/python3.5	<3.5.2-2ubuntu0~16.04.13+	3.5.2-2ubuntu0~16.04.13+
ubuntu/python3.7	<3.7.10	3.7.10
ubuntu/python3.8	<3.8.10-0ubuntu1~20.04	3.8.10-0ubuntu1~20.04
ubuntu/python3.8	<3.8.7	3.8.7
ubuntu/python3.9	<3.9.1	3.9.1
Python Python	<3.6.13
Python Python	>=3.7.0<3.7.10
Python Python	>=3.8.0<3.8.7
Python Python	>=3.9.0<3.9.1
Debian Debian Linux	=10.0
Netapp Active Iq Unified Manager Vmware Vsphere
Netapp Active Iq Unified Manager Windows
Netapp Converged Systems Advisor Agent

Remedy

https://bugs.python.org/issue40791

Never miss a vulnerability like this again

Reference Links

Parent vulnerabilities

(Appears in the following advisories)

USN-6400-1

Frequently Asked Questions

What is CVE-2022-48566?
CVE-2022-48566 is a vulnerability discovered in Python through 3.9.1 that allows for constant-time-defeating optimizations in the accumulator variable of hmac.compare_digest.
How severe is CVE-2022-48566?
CVE-2022-48566 has a severity score of 8.1, which is classified as high.
What software is affected by CVE-2022-48566?
Python versions 3.6.0 through 3.9.1 are affected. Additionally, specific versions of Python 2.7 and 3.5 for Ubuntu and Python 2.7, 3.7, and 3.9 for Debian are also affected.
How can I fix CVE-2022-48566?
To fix CVE-2022-48566, update your Python installation to the latest patched version available for your operating system.
Where can I find more information about CVE-2022-48566?
More information about CVE-2022-48566 can be found at the following references: [1] [2] [3]

agent/type
collector/launchpad-cve
source/Launchpad
agent/first-publish-date
agent/last-modified-date
agent/remedy
agent/severity
agent/weakness
agent/author
agent/description
agent/event
collector/security-tracker-debian
source/Debian
agent/software-canonical-lookup
agent/softwarecombine
collector/usn-cve
source/Ubuntu
agent/references
agent/tags
collector/nvd-cve
source/NVD
agent/software-canonical-lookup-request
collector/nvd-api
collector/nvd-index
package-manager/debian
package-manager/ubuntu
vendor/python
canonical/python python
version/python python/3.7.0
version/python python/3.8.0
version/python python/3.9.0
vendor/debian
canonical/debian debian linux
version/debian debian linux/10.0
vendor/netapp
canonical/netapp active iq unified manager vmware vsphere
canonical/netapp active iq unified manager windows
canonical/netapp converged systems advisor agent