CVE-2020-27619 – This vulnerability in Python's test suite allow... (How to Fix)

Q: What is the severity of CVE-2020-27619?

CVE-2020-27619 has a CVSS score of 9.8 (CRITICAL). This vulnerability in Python's test suite allows remote code execution via eval() on untrusted HTTP content. It affects Python 3 through 3.9.0 when running the CJK codec tests. While primarily in test code, it could be exploited if test files are accessible.

📋 TL;DR

This vulnerability in Python's test suite allows remote code execution via eval() on untrusted HTTP content. It affects Python 3 through 3.9.0 when running the CJK codec tests. While primarily in test code, it could be exploited if test files are accessible.

💻 Affected Systems

Products:

Python

Versions: 3.0 through 3.9.0

Operating Systems: All

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when running the specific test file Lib/test/multibytecodec_support.py or if this file is accessible to attackers.

📦 What is this software?

Communications Cloud Native Core Network Function Cloud Native Environment by Oracle

View all CVEs affecting Communications Cloud Native Core Network Function Cloud Native Environment →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Fedora by Fedoraproject

View all CVEs affecting Fedora →

Python by Python

Python is a high-level, interpreted programming language known for its readability and versatility. It is widely used in web development, data science, automation, and scientific computing.

Learn more about Python →

Python by Python

Python is a high-level, interpreted programming language known for its readability and versatility. It is widely used in web development, data science, automation, and scientific computing.

Learn more about Python →

Python by Python

Python is a high-level, interpreted programming language known for its readability and versatility. It is widely used in web development, data science, automation, and scientific computing.

Learn more about Python →

Python by Python

Python is a high-level, interpreted programming language known for its readability and versatility. It is widely used in web development, data science, automation, and scientific computing.

Learn more about Python →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote attacker executes arbitrary code with the privileges of the Python process, potentially leading to full system compromise.

🟠

Likely Case

Limited impact since it's in test code, but could be exploited in development environments or if test files are exposed.

🟢

If Mitigated

No impact if test files are not accessible or Python is not running vulnerable test code.

🌐 Internet-Facing: LOW - Test files are typically not exposed to internet-facing systems.

🏢 Internal Only: MEDIUM - Development environments or improperly configured systems could be vulnerable.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires access to the test file and ability to trigger its execution with malicious HTTP content.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Python 3.9.1 and later

Vendor Advisory: https://bugs.python.org/issue41944

Restart Required: No

Instructions:

1. Upgrade Python to version 3.9.1 or later. 2. For older versions, apply the security patches from the GitHub commits referenced in the CVE.

🔧 Temporary Workarounds

Remove vulnerable test file

all

Delete or restrict access to the vulnerable test file to prevent exploitation.

rm /path/to/python/Lib/test/multibytecodec_support.py

Restrict network access

all

Prevent the test file from making HTTP requests by blocking outbound connections or using firewall rules.

🧯 If You Can't Patch

Ensure test files are not accessible or executable in production environments
Implement strict network controls to prevent the vulnerable code from making HTTP requests

🔍 How to Verify

Check if Vulnerable:

Check if Python version is between 3.0 and 3.9.0 and if the file Lib/test/multibytecodec_support.py exists and contains eval() calls with HTTP content.

Check Version:

python3 --version

Verify Fix Applied:

Verify Python version is 3.9.1 or later, or check that the vulnerable test file has been patched to remove the eval() on HTTP content.

📡 Detection & Monitoring

Log Indicators:

Unusual Python test execution, especially involving HTTP requests to external sources
Unexpected eval() calls in Python processes

Network Indicators:

Outbound HTTP requests from Python test processes to unusual domains

SIEM Query:

process.name:python AND process.args:*multibytecodec_support* AND network.destination.port:80

📊 Metadata

CVE ID: CVE-2020-27619

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Published: October 22, 2020

Last Updated: November 21, 2024

🔗 References

https://bugs.python.org/issue41944 Issue Tracking,Patch,Vendor Advisory
https://github.com/python/cpython/commit/2ef5caa58febc8968e670e39e3d37cf8eef3cab8 Patch,Vendor Advisory
https://github.com/python/cpython/commit/43e523103886af66d6c27cd72431b5d9d14cd2a9 Patch,Vendor Advisory
https://github.com/python/cpython/commit/6c6c256df3636ff6f6136820afaefa5a10a3ac33 Patch,Vendor Advisory
https://github.com/python/cpython/commit/b664a1df4ee71d3760ab937653b10997081b1794 Patch,Vendor Advisory
https://github.com/python/cpython/commit/e912e945f2960029d039d3390ea08835ad39374b Patch,Vendor Advisory
https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b%40%3Cissues.bookkeeper.apache.org%3E
https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4%40%3Cissues.bookkeeper.apache.org%3E
https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772%40%3Cdev.mina.apache.org%3E
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RSLQD5CCM75IZGAMBDGUZEATYU5YSGJ7/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SGIY6I4YS3WOXAK4SXKIEOC2G4VZKIR7/
https://security.gentoo.org/glsa/202402-04
https://security.netapp.com/advisory/ntap-20201123-0004/ Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2022.html Patch,Third Party Advisory
https://bugs.python.org/issue41944 Issue Tracking,Patch,Vendor Advisory
https://github.com/python/cpython/commit/2ef5caa58febc8968e670e39e3d37cf8eef3cab8 Patch,Vendor Advisory
https://github.com/python/cpython/commit/43e523103886af66d6c27cd72431b5d9d14cd2a9 Patch,Vendor Advisory
https://github.com/python/cpython/commit/6c6c256df3636ff6f6136820afaefa5a10a3ac33 Patch,Vendor Advisory
https://github.com/python/cpython/commit/b664a1df4ee71d3760ab937653b10997081b1794 Patch,Vendor Advisory
https://github.com/python/cpython/commit/e912e945f2960029d039d3390ea08835ad39374b Patch,Vendor Advisory
https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b%40%3Cissues.bookkeeper.apache.org%3E
https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4%40%3Cissues.bookkeeper.apache.org%3E
https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772%40%3Cdev.mina.apache.org%3E
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RSLQD5CCM75IZGAMBDGUZEATYU5YSGJ7/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SGIY6I4YS3WOXAK4SXKIEOC2G4VZKIR7/
https://security.gentoo.org/glsa/202402-04
https://security.netapp.com/advisory/ntap-20201123-0004/ Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2022.html Patch,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON