GHSA-pwwp-3q7j-9mx8

Suggest an improvement
Source
https://github.com/advisories/GHSA-pwwp-3q7j-9mx8
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/09/GHSA-pwwp-3q7j-9mx8/GHSA-pwwp-3q7j-9mx8.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-pwwp-3q7j-9mx8
Aliases
Published
2024-09-17T21:30:32Z
Modified
2024-09-25T18:57:18.596249Z
Severity
  • 5.6 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L CVSS Calculator
  • 6.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X CVSS Calculator
Summary
Use After Free in MicroPython
Details

A vulnerability was found in MicroPython 1.22.2. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file py/objarray.c. The manipulation leads to use after free. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. Upgrading to version 1.23.0 is able to address this issue. The identifier of the patch is 4bed614e707c0644c06e117f848fa12605c711cd. It is recommended to upgrade the affected component. In micropython objarray component, when a bytes object is resized and copied into itself, it may reference memory that has already been freed.

Database specific
{
    "nvd_published_at": "2024-09-17T19:15:29Z",
    "cwe_ids": [
        "CWE-416"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2024-09-25T18:18:16Z"
}
References

Affected packages

PyPI / micropython-copy

Package

Name
micropython-copy
View open source insights on deps.dev
Purl
pkg:pypi/micropython-copy

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Last affected
3.3.3.post3

Affected versions

0.*

0.0.1
0.0.2

3.*

3.3.3-2
3.3.3.post3

PyPI / micropython-io

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Last affected
0.1

Affected versions

0.*

0.0.1
0.0.2
0.0.3
0.1