{
  "threat_severity" : "Low",
  "public_date" : "2024-06-17T00:00:00Z",
  "bugzilla" : {
    "description" : "cpython: python: Memory race condition in ssl.SSLContext certificate store methods",
    "id" : "2301891",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2301891"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.0",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L",
    "status" : "verified"
  },
  "cwe" : "CWE-362",
  "details" : [ "A defect was discovered in the Python “ssl” module where there is a memory\nrace condition with the ssl.SSLContext methods “cert_store_stats()” and\n“get_ca_certs()”. The race condition can be triggered if the methods are\ncalled at the same time as certificates are loaded into the SSLContext,\nsuch as during the TLS handshake with a certificate directory configured.\nThis issue is fixed in CPython 3.10.14, 3.11.9, 3.12.3, and 3.13.0a5.", "A vulnerability was found in Python. A defect was discovered in the Python “ssl” module where there is a memory race condition with the ssl.SSLContext methods “cert_store_stats()” and “get_ca_certs()”. The race condition can be triggered if the methods are called at the same time that certificates are loaded into the SSLContext, such as during the TLS handshake with a  configured certificate directory." ],
  "statement" : "This vulnerability is classified as low severity instead of moderate because it primarily results in a race condition that can cause unexpected behavior or crashes but does not directly lead to memory corruption, information disclosure, or remote code execution. \nThe issue is constrained to scenarios where multiple threads interact with SSLContext during certificate loading, which is an uncommon pattern in typical applications. Additionally, exploitation would require precise timing and a specific application design that exposes these methods to concurrent access, reducing the likelihood of real-world impact.",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2024-12-12T00:00:00Z",
    "advisory" : "RHSA-2024:10983",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "python3.9-0:3.9.21-1.el9_5"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2024-11-12T00:00:00Z",
    "advisory" : "RHSA-2024:9190",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "python3.12-0:3.12.5-2.el9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2024-11-12T00:00:00Z",
    "advisory" : "RHSA-2024:9192",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "python3.11-0:3.11.9-7.el9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2024-12-12T00:00:00Z",
    "advisory" : "RHSA-2024:10983",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "python3.9-0:3.9.21-1.el9_5"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Not affected",
    "package_name" : "python3.12",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Out of support scope",
    "package_name" : "python",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Out of support scope",
    "package_name" : "python",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Out of support scope",
    "package_name" : "python3",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Out of support scope",
    "package_name" : "gimp:flatpak/python2",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Out of support scope",
    "package_name" : "python3",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Out of support scope",
    "package_name" : "python3.11",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Out of support scope",
    "package_name" : "python3.12",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Out of support scope",
    "package_name" : "python36:3.6/python36",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Out of support scope",
    "package_name" : "python39:3.9/python39",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Out of support scope",
    "package_name" : "python39-devel:3.9/python39",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2024-0397\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-0397\nhttps://mail.python.org/archives/list/security-announce@python.org/thread/BMAK5BCGKYWNJOACVUSLUF6SFGBIM4VP/" ],
  "name" : "CVE-2024-0397",
  "mitigation" : {
    "value" : "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
    "lang" : "en:us"
  },
  "csaw" : false
}