CVE-2020-8315: Unsafe DLL loading in getpathp.c on Windows 7¶
Warning
This resource is maintained for historical reference and does not contain the latest vulnerability info for Python.
The canonical database for vulnerabilities affecting Python is available on GitHub in the Open Source Vulnerability (OSV) format. This vulnerability can be viewed online at the Open Source Vulnerability Database.
At Python startup, api-ms-win-core-path-l1-1-0.dll
is loaded with
LoadLibraryW() without LOAD_LIBRARY_SEARCH_xxx
flags.
Python 3.5 and older are not affected.
Dates:
- Disclosure date: 2020-01-21 (Python issue bpo-39401 reported)
Fixed In¶
- Python 3.6.11 (2020-06-27) fixed by commit 51332c4 (branch 3.6) (2020-01-31)
- Python 3.7.7 (2020-03-10) fixed by commit 561c597 (branch 3.7) (2020-01-30)
- Python 3.8.2 (2020-02-24) fixed by commit ad4a20b (branch 3.8) (2020-01-30)
- Python 3.9.0 (2020-10-05) fixed by commit 6a65eba (branch 3.9) (2020-01-29)
Python issue¶
[CVE-2020-8315] Unsafe dll loading in getpathp.c on Win7.
- Python issue: bpo-39401
- Creation date: 2020-01-21
- Reporter: Anthony Wee
CVE-2020-8315¶
In Python (CPython) 3.6 through 3.6.10, 3.7 through 3.7.6, and 3.8 through 3.8.1, an insecure dependency load upon launch on Windows 7 may result in an attacker’s copy of api-ms-win-core-path-l1-1-0.dll being loaded and used instead of the system’s copy. Windows 8 and later are unaffected.
- CVE ID: CVE-2020-8315
- Published: 2020-01-28
- CVSS Score: 4.3
Timeline¶
Timeline using the disclosure date 2020-01-21 as reference:
- 2020-01-21: Python issue bpo-39401 reported by Anthony Wee
- 2020-01-28 (+7 days): CVE-2020-8315 published
- 2020-01-29 (+8 days): commit 6a65eba (branch 3.9)
- 2020-01-30 (+9 days): commit 561c597 (branch 3.7)
- 2020-01-30 (+9 days): commit ad4a20b (branch 3.8)
- 2020-01-31 (+10 days): commit 51332c4 (branch 3.6)
- 2020-02-24 (+34 days): Python 3.8.2 released
- 2020-03-10 (+49 days): Python 3.7.7 released
- 2020-06-27 (+158 days): Python 3.6.11 released
- 2020-10-05: Python 3.9.0 released