CVE-2020-8315: Unsafe DLL loading in getpathp.c on Windows 7¶
Warning
This resource is maintained for historical reference and does not contain the latest vulnerability info for Python.
The canonical database for vulnerabilities affecting Python is available on GitHub in the Open Source Vulnerability (OSV) format. This vulnerability can be viewed online at the Open Source Vulnerability Database.
At Python startup, api-ms-win-core-path-l1-1-0.dll is loaded with
LoadLibraryW() without LOAD_LIBRARY_SEARCH_xxx flags.
Python 3.5 and older are not affected.
Dates:
Disclosure date: 2020-01-21 (Python issue bpo-39401 reported)
Fixed In¶
Python 3.6.11 (2020-06-27) fixed by commit 51332c4 (branch 3.6) (2020-01-31)
Python 3.7.7 (2020-03-10) fixed by commit 561c597 (branch 3.7) (2020-01-30)
Python 3.8.2 (2020-02-24) fixed by commit ad4a20b (branch 3.8) (2020-01-30)
Python 3.9.0 (2020-10-05) fixed by commit 6a65eba (branch 3.9) (2020-01-29)
Python issue¶
[CVE-2020-8315] Unsafe dll loading in getpathp.c on Win7.
Python issue: bpo-39401
Creation date: 2020-01-21
Reporter: Anthony Wee
CVE-2020-8315¶
In Python (CPython) 3.6 through 3.6.10, 3.7 through 3.7.6, and 3.8 through 3.8.1, an insecure dependency load upon launch on Windows 7 may result in an attacker’s copy of api-ms-win-core-path-l1-1-0.dll being loaded and used instead of the system’s copy. Windows 8 and later are unaffected.
CVE ID: CVE-2020-8315
Published: 2020-01-28
CVSS Score: 4.3
Timeline¶
Timeline using the disclosure date 2020-01-21 as reference:
2020-01-21: Python issue bpo-39401 reported by Anthony Wee
2020-01-28 (+7 days): CVE-2020-8315 published
2020-01-29 (+8 days): commit 6a65eba (branch 3.9)
2020-01-30 (+9 days): commit 561c597 (branch 3.7)
2020-01-30 (+9 days): commit ad4a20b (branch 3.8)
2020-01-31 (+10 days): commit 51332c4 (branch 3.6)
2020-02-24 (+34 days): Python 3.8.2 released
2020-03-10 (+49 days): Python 3.7.7 released
2020-06-27 (+158 days): Python 3.6.11 released
2020-10-05: Python 3.9.0 released