CVE-2023-29824
Use-after-free vulnerability in scipy (PyPI)
What is CVE-2023-29824 About?
This entry describes a disputed use-after-free issue found in the `Py_FindObjects()` function within SciPy versions prior to 1.8.0. A use-after-free could lead to memory corruption, potentially causing denial of service or arbitrary code execution, thereby impacting system stability or security. The exploitability is typically complex, requiring precise memory manipulation, though the vendor disputes it as a security issue.
Affected Software
Technical Details
The disputed vulnerability is a use-after-free condition discovered in the Py_FindObjects() function within older versions of the SciPy library (before 1.8.0). A use-after-free occurs when a program attempts to use memory that has already been deallocated. This can happen if a pointer still references the freed memory region, and after the memory is freed, it is reallocated for another purpose. If the program then accesses the old pointer, it might read or write to data unrelated to its original purpose, leading to memory corruption. The vendor and discoverer dispute this as a security issue, implying it might be a memory leak or a non-exploitable crash in their context, rather than a condition leading to arbitrary code execution.
What is the Impact of CVE-2023-29824?
Successful exploitation may allow attackers to cause memory corruption, potentially leading to denial of service through application crashes, or in severe cases, arbitrary code execution, compromising system integrity and confidentiality.
What is the Exploitability of CVE-2023-29824?
Exploiting a use-after-free vulnerability is typically complex, requiring an in-depth understanding of memory management and heap layout. It usually involves precise timing and memory manipulation to achieve reliable exploitation. There are no inherent authentication or privilege requirements for a use-after-free once triggered within an application's context. The attack vector could be local, through malicious input to a SciPy function, or remote, if SciPy is part of a server-side component processing untrusted data. Special conditions usually involve race conditions in multithreaded environments or specific sequences of operations that lead to the double-free or use-after-free state. The dispute regarding its security impact suggests that it might be difficult to reliably convert this into a security exploit (e.g., RCE) rather than just a crash. Risk factors include applications that handle untrusted input using affected SciPy versions.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2023-29824?
Available Upgrade Options
- scipy
- <1.8.0 → Upgrade to 1.8.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/scipy/scipy/issues/14713#issuecomment-1629468565
- https://github.com/scipy/scipy/pull/15013
- https://github.com/scipy/scipy/issues/14713
- https://github.com/scipy/scipy/pull/15013
- https://github.com/scipy/scipy/issues/14713#issuecomment-1629468565
- http://www.square16.org/achievement/cve-2023-29824/
- https://github.com/scipy/scipy/issues/14713
- https://osv.dev/vulnerability/PYSEC-2023-114
- http://www.square16.org/achievement/cve-2023-29824/
What are Similar Vulnerabilities to CVE-2023-29824?
Similar Vulnerabilities: CVE-2022-3171 , CVE-2022-42915 , CVE-2022-41885 , CVE-2022-34903 , CVE-2022-36946
