.. _unsafe-dll-load-windows-7:

CVE-2020-8315: Unsafe DLL loading in getpathp.c on Windows 7
============================================================

.. warning::
    This resource is maintained for historical reference and **does not contain the latest vulnerability info for Python**.

    The `canonical database for vulnerabilities affecting Python <https://github.com/psf/advisory-database>`_ is available on GitHub
    in the Open Source Vulnerability (OSV) format. This vulnerability can be viewed online at the
    `Open Source Vulnerability Database <https://osv.dev/list?ecosystem=&q=CVE-2020-8315>`_.

At Python startup, ``api-ms-win-core-path-l1-1-0.dll`` is loaded with
LoadLibraryW() without ``LOAD_LIBRARY_SEARCH_xxx`` flags.

Python 3.5 and older are not affected.

Dates:

* Disclosure date: **2020-01-21** (Python issue bpo-39401 reported)

Fixed In
--------

* Python **3.6.11** (2020-06-27) fixed by `commit 51332c4 (branch 3.6) <https://github.com/python/cpython/commit/51332c467ed2e07a191f903d554d0c54248e4d88>`_ (2020-01-31)
* Python **3.7.7** (2020-03-10) fixed by `commit 561c597 (branch 3.7) <https://github.com/python/cpython/commit/561c59777c8426fde0ef48b57cf02eddaeb2a5b8>`_ (2020-01-30)
* Python **3.8.2** (2020-02-24) fixed by `commit ad4a20b (branch 3.8) <https://github.com/python/cpython/commit/ad4a20b87d79a619ffbdea3f26848780899494e5>`_ (2020-01-30)
* Python **3.9.0** (2020-10-05) fixed by `commit 6a65eba (branch 3.9) <https://github.com/python/cpython/commit/6a65eba44bfd82ccc8bed4b5c6dd6637549955d5>`_ (2020-01-29)

Python issue
------------

[CVE-2020-8315] Unsafe dll loading in getpathp.c on Win7.

* Python issue: `bpo-39401 <https://bugs.python.org/issue39401>`_
* Creation date: 2020-01-21
* Reporter: Anthony Wee

CVE-2020-8315
-------------

In Python (CPython) 3.6 through 3.6.10, 3.7 through 3.7.6, and 3.8 through 3.8.1, an insecure dependency load upon launch on Windows 7 may result in an attacker's copy of api-ms-win-core-path-l1-1-0.dll being loaded and used instead of the system's copy. Windows 8 and later are unaffected.

* CVE ID: `CVE-2020-8315 <https://nvd.nist.gov/vuln/detail/CVE-2020-8315/>`_
* Published: 2020-01-28
* `CVSS Score <https://nvd.nist.gov/cvss.cfm>`_: 4.3

Timeline
--------

Timeline using the disclosure date **2020-01-21** as reference:

* 2020-01-21: `Python issue bpo-39401 <https://bugs.python.org/issue39401>`_ reported by Anthony Wee
* 2020-01-28 (**+7 days**): CVE-2020-8315 published
* 2020-01-29 (**+8 days**): `commit 6a65eba (branch 3.9) <https://github.com/python/cpython/commit/6a65eba44bfd82ccc8bed4b5c6dd6637549955d5>`_
* 2020-01-30 (**+9 days**): `commit 561c597 (branch 3.7) <https://github.com/python/cpython/commit/561c59777c8426fde0ef48b57cf02eddaeb2a5b8>`_
* 2020-01-30 (**+9 days**): `commit ad4a20b (branch 3.8) <https://github.com/python/cpython/commit/ad4a20b87d79a619ffbdea3f26848780899494e5>`_
* 2020-01-31 (**+10 days**): `commit 51332c4 (branch 3.6) <https://github.com/python/cpython/commit/51332c467ed2e07a191f903d554d0c54248e4d88>`_
* 2020-02-24 (**+34 days**): Python 3.8.2 released
* 2020-03-10 (**+49 days**): Python 3.7.7 released
* 2020-06-27 (**+158 days**): Python 3.6.11 released
* 2020-10-05: Python 3.9.0 released