CVE-2022-48560

Description

A use-after-free exists in Python through 3.9 via heappushpop in heapq.

How to fix CVE-2022-48560

To remediate CVE-2022-48560, upgrade the affected package to a fixed version below.

• Bitnami/libpython—upgrade to 3.6.11 or later
• Bitnami/python—upgrade to 3.6.11 or later
• Bitnami/python-min—upgrade to 3.6.11 or later
• —upgrade to 2.7.18-8+deb11u1 or later
• —upgrade to 3.7.3-2+deb10u6 or later

Is CVE-2022-48560 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (5)

• from 0, < 3.6.11, >= 3.7.0, < 3.7.7, >= 3.8.0, < 3.8.2
• from 0, < 3.6.11, >= 3.7.0, < 3.7.7, >= 3.8.0, < 3.8.2
• from 0, < 3.6.11, >= 3.7.0, < 3.7.7, >= 3.8.0, < 3.8.2
• from 0, < 2.7.18-8+deb11u1
• from 0, < 3.7.3-2+deb10u6

CVSS scores

References (10)

• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2022-48560
• WEBbugs.python.org/issue39421
• WEBlists.debian.org/debian-lts-announce/2023/09/msg00022.html
• WEBlists.debian.org/debian-lts-announce/2023/10/msg00017.html