Vulnerability-Lookup

CVE-2024-5642 (GCVE-0-2024-5642)

Vulnerability from cvelistv5 – Published: 2024-06-27 21:05 – Updated: 2026-04-21 20:12

Title

Buffer overread when using an empty list with SSLContext.set_npn_protocols()

Summary

CPython 3.9 and earlier doesn't disallow configuring an empty list ("[]") for SSLContext.set_npn_protocols() which is an invalid value for the underlying OpenSSL API. This results in a buffer over-read when NPN is used (see CVE-2024-5535 for OpenSSL). This vulnerability is of low severity due to NPN being not widely used and specifying an empty list likely being uncommon in-practice (typically a protocol name would be configured).

Severity

6.5 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L

SSVC

Exploitation: none Automatable: no Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-noinfo Not enough information

Assigner

PSF

References

8 references

URL	Tags
https://jbp.io/2024/06/27/cve-2024-5535-openssl-m…	third-party-advisory
https://github.com/python/cpython/pull/23014	mitigation
https://mail.python.org/archives/list/security-an…	vendor-advisory
https://github.com/python/cpython/commit/39258d35…	patch
http://www.openwall.com/lists/oss-security/2024/06/28/4
https://github.com/python/cpython/issues/121227	issue-tracking
https://security.netapp.com/advisory/ntap-2024072…
https://github.com/python/cpython/commit/a2cdbb6e…	patch

Impacted products

1 product

Vendor	Product	Version
Python Software Foundation	CPython	Affected: 0 , < 3.10.0b1 (python)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "LOW",
              "baseScore": 6.5,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "LOW",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-5642",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-06-28T13:47:34.169947Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "description": "CWE-noinfo Not enough information",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-11-06T20:14:30.590Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-01T21:18:06.642Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "third-party-advisory",
              "x_transferred"
            ],
            "url": "https://jbp.io/2024/06/27/cve-2024-5535-openssl-memory-safety.html"
          },
          {
            "tags": [
              "mitigation",
              "x_transferred"
            ],
            "url": "https://github.com/python/cpython/pull/23014"
          },
          {
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://mail.python.org/archives/list/security-announce@python.org/thread/PLP2JI3PJY33YG6P5BZYSSNU66HASXBQ/"
          },
          {
            "tags": [
              "patch",
              "x_transferred"
            ],
            "url": "https://github.com/python/cpython/commit/39258d3595300bc7b952854c915f63ae2d4b9c3e"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2024/06/28/4"
          },
          {
            "tags": [
              "issue-tracking",
              "x_transferred"
            ],
            "url": "https://github.com/python/cpython/issues/121227"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20240726-0005/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "CPython",
          "repo": "https://github.com/python/cpython",
          "vendor": "Python Software Foundation",
          "versions": [
            {
              "lessThan": "3.10.0b1",
              "status": "affected",
              "version": "0",
              "versionType": "python"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "CPython 3.9 and earlier doesn\u0027t disallow configuring an empty list (\"[]\") for SSLContext.set_npn_protocols() which is an invalid value for the underlying OpenSSL API. This results in a buffer over-read when NPN is used (see \u003cspan style=\"background-color: oklab(0.0852327 0.00000386313 0.00000170618 / 0.06);\"\u003eCVE\u003c/span\u003e\u003cspan style=\"background-color: oklab(0.0852327 0.00000386313 0.00000170618 / 0.06);\"\u003e-2024\u003c/span\u003e\u003cspan style=\"background-color: oklab(0.0852327 0.00000386313 0.00000170618 / 0.06);\"\u003e-5535\u003c/span\u003e for OpenSSL). This vulnerability is of low severity due to NPN being not widely used and specifying an empty list likely being uncommon in-practice (typically a protocol name would be configured).\u003cbr\u003e"
            }
          ],
          "value": "CPython 3.9 and earlier doesn\u0027t disallow configuring an empty list (\"[]\") for SSLContext.set_npn_protocols() which is an invalid value for the underlying OpenSSL API. This results in a buffer over-read when NPN is used (see CVE-2024-5535 for OpenSSL). This vulnerability is of low severity due to NPN being not widely used and specifying an empty list likely being uncommon in-practice (typically a protocol name would be configured)."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-21T20:12:42.468Z",
        "orgId": "28c92f92-d60d-412d-b760-e73465c3df22",
        "shortName": "PSF"
      },
      "references": [
        {
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://jbp.io/2024/06/27/cve-2024-5535-openssl-memory-safety.html"
        },
        {
          "tags": [
            "mitigation"
          ],
          "url": "https://github.com/python/cpython/pull/23014"
        },
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://mail.python.org/archives/list/security-announce@python.org/thread/PLP2JI3PJY33YG6P5BZYSSNU66HASXBQ/"
        },
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/python/cpython/commit/39258d3595300bc7b952854c915f63ae2d4b9c3e"
        },
        {
          "url": "http://www.openwall.com/lists/oss-security/2024/06/28/4"
        },
        {
          "tags": [
            "issue-tracking"
          ],
          "url": "https://github.com/python/cpython/issues/121227"
        },
        {
          "url": "https://security.netapp.com/advisory/ntap-20240726-0005/"
        },
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/python/cpython/commit/a2cdbb6e8188ba9ba8b356b28d91bff60e86fe31"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Buffer overread when using an empty list with SSLContext.set_npn_protocols()",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "28c92f92-d60d-412d-b760-e73465c3df22",
    "assignerShortName": "PSF",
    "cveId": "CVE-2024-5642",
    "datePublished": "2024-06-27T21:05:31.281Z",
    "dateReserved": "2024-06-04T18:40:21.539Z",
    "dateUpdated": "2026-04-21T20:12:42.468Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2024-5642",
      "date": "2026-06-07",
      "epss": "0.00187",
      "percentile": "0.40362"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-5642\",\"sourceIdentifier\":\"cna@python.org\",\"published\":\"2024-06-27T21:15:16.070\",\"lastModified\":\"2025-10-07T17:15:32.573\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"CPython 3.9 and earlier doesn\u0027t disallow configuring an empty list (\\\"[]\\\") for SSLContext.set_npn_protocols() which is an invalid value for the underlying OpenSSL API. This results in a buffer over-read when NPN is used (see CVE-2024-5535 for OpenSSL). This vulnerability is of low severity due to NPN being not widely used and specifying an empty list likely being uncommon in-practice (typically a protocol name would be configured).\"},{\"lang\":\"es\",\"value\":\"CPython 3.9 y versiones anteriores no permiten la configuraci\u00f3n de una lista vac\u00eda (\\\"[]\\\") para SSLContext.set_npn_protocols(), que es un valor no v\u00e1lido para la API OpenSSL subyacente. Esto da como resultado una lectura excesiva del b\u00fafer cuando se utiliza NPN (consulte CVE-2024-5535 para OpenSSL). Esta vulnerabilidad es de baja gravedad debido a que NPN no se usa ampliamente y especificar una lista vac\u00eda probablemente sea poco com\u00fan en la pr\u00e1ctica (normalmente se configurar\u00eda un nombre de protocolo).\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L\",\"baseScore\":6.5,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":3.9,\"impactScore\":2.5}]},\"references\":[{\"url\":\"http://www.openwall.com/lists/oss-security/2024/06/28/4\",\"source\":\"cna@python.org\"},{\"url\":\"https://github.com/python/cpython/commit/39258d3595300bc7b952854c915f63ae2d4b9c3e\",\"source\":\"cna@python.org\"},{\"url\":\"https://github.com/python/cpython/commit/a2cdbb6e8188ba9ba8b356b28d91bff60e86fe31\",\"source\":\"cna@python.org\"},{\"url\":\"https://github.com/python/cpython/issues/121227\",\"source\":\"cna@python.org\"},{\"url\":\"https://github.com/python/cpython/pull/23014\",\"source\":\"cna@python.org\"},{\"url\":\"https://jbp.io/2024/06/27/cve-2024-5535-openssl-memory-safety.html\",\"source\":\"cna@python.org\"},{\"url\":\"https://mail.python.org/archives/list/security-announce@python.org/thread/PLP2JI3PJY33YG6P5BZYSSNU66HASXBQ/\",\"source\":\"cna@python.org\"},{\"url\":\"https://security.netapp.com/advisory/ntap-20240726-0005/\",\"source\":\"cna@python.org\"},{\"url\":\"http://www.openwall.com/lists/oss-security/2024/06/28/4\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://github.com/python/cpython/commit/39258d3595300bc7b952854c915f63ae2d4b9c3e\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://github.com/python/cpython/issues/121227\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://github.com/python/cpython/pull/23014\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://jbp.io/2024/06/27/cve-2024-5535-openssl-memory-safety.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://mail.python.org/archives/list/security-announce@python.org/thread/PLP2JI3PJY33YG6P5BZYSSNU66HASXBQ/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://security.netapp.com/advisory/ntap-20240726-0005/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://jbp.io/2024/06/27/cve-2024-5535-openssl-memory-safety.html\", \"tags\": [\"third-party-advisory\", \"x_transferred\"]}, {\"url\": \"https://github.com/python/cpython/pull/23014\", \"tags\": [\"mitigation\", \"x_transferred\"]}, {\"url\": \"https://mail.python.org/archives/list/security-announce@python.org/thread/PLP2JI3PJY33YG6P5BZYSSNU66HASXBQ/\", \"tags\": [\"vendor-advisory\", \"x_transferred\"]}, {\"url\": \"https://github.com/python/cpython/commit/39258d3595300bc7b952854c915f63ae2d4b9c3e\", \"tags\": [\"patch\", \"x_transferred\"]}, {\"url\": \"http://www.openwall.com/lists/oss-security/2024/06/28/4\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://github.com/python/cpython/issues/121227\", \"tags\": [\"issue-tracking\", \"x_transferred\"]}, {\"url\": \"https://security.netapp.com/advisory/ntap-20240726-0005/\", \"tags\": [\"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-01T21:18:06.642Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 6.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"LOW\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"LOW\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-5642\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-06-28T13:47:34.169947Z\"}}}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"description\": \"CWE-noinfo Not enough information\"}]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-06-28T13:47:40.782Z\"}}], \"cna\": {\"title\": \"Buffer overread when using an empty list with SSLContext.set_npn_protocols()\", \"source\": {\"discovery\": \"UNKNOWN\"}, \"affected\": [{\"repo\": \"https://github.com/python/cpython\", \"vendor\": \"Python Software Foundation\", \"product\": \"CPython\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"3.10.0b1\", \"versionType\": \"python\"}], \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://jbp.io/2024/06/27/cve-2024-5535-openssl-memory-safety.html\", \"tags\": [\"third-party-advisory\"]}, {\"url\": \"https://github.com/python/cpython/pull/23014\", \"tags\": [\"mitigation\"]}, {\"url\": \"https://mail.python.org/archives/list/security-announce@python.org/thread/PLP2JI3PJY33YG6P5BZYSSNU66HASXBQ/\", \"tags\": [\"vendor-advisory\"]}, {\"url\": \"https://github.com/python/cpython/commit/39258d3595300bc7b952854c915f63ae2d4b9c3e\", \"tags\": [\"patch\"]}, {\"url\": \"http://www.openwall.com/lists/oss-security/2024/06/28/4\"}, {\"url\": \"https://github.com/python/cpython/issues/121227\", \"tags\": [\"issue-tracking\"]}, {\"url\": \"https://security.netapp.com/advisory/ntap-20240726-0005/\"}, {\"url\": \"https://github.com/python/cpython/commit/a2cdbb6e8188ba9ba8b356b28d91bff60e86fe31\", \"tags\": [\"patch\"]}], \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"CPython 3.9 and earlier doesn\u0027t disallow configuring an empty list (\\\"[]\\\") for SSLContext.set_npn_protocols() which is an invalid value for the underlying OpenSSL API. This results in a buffer over-read when NPN is used (see CVE-2024-5535 for OpenSSL). This vulnerability is of low severity due to NPN being not widely used and specifying an empty list likely being uncommon in-practice (typically a protocol name would be configured).\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"CPython 3.9 and earlier doesn\u0027t disallow configuring an empty list (\\\"[]\\\") for SSLContext.set_npn_protocols() which is an invalid value for the underlying OpenSSL API. This results in a buffer over-read when NPN is used (see \u003cspan style=\\\"background-color: oklab(0.0852327 0.00000386313 0.00000170618 / 0.06);\\\"\u003eCVE\u003c/span\u003e\u003cspan style=\\\"background-color: oklab(0.0852327 0.00000386313 0.00000170618 / 0.06);\\\"\u003e-2024\u003c/span\u003e\u003cspan style=\\\"background-color: oklab(0.0852327 0.00000386313 0.00000170618 / 0.06);\\\"\u003e-5535\u003c/span\u003e for OpenSSL). This vulnerability is of low severity due to NPN being not widely used and specifying an empty list likely being uncommon in-practice (typically a protocol name would be configured).\u003cbr\u003e\", \"base64\": false}]}], \"providerMetadata\": {\"orgId\": \"28c92f92-d60d-412d-b760-e73465c3df22\", \"shortName\": \"PSF\", \"dateUpdated\": \"2026-04-21T20:12:42.468Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-5642\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-04-21T20:12:42.468Z\", \"dateReserved\": \"2024-06-04T18:40:21.539Z\", \"assignerOrgId\": \"28c92f92-d60d-412d-b760-e73465c3df22\", \"datePublished\": \"2024-06-27T21:05:31.281Z\", \"assignerShortName\": \"PSF\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

WID-SEC-W-2025-2648

Vulnerability from csaf_certbund - Published: 2025-11-19 23:00 - Updated: 2025-11-19 23:00

Summary

IBM AIX und VIOS: Mehrere Schwachstellen

Severity

Hoch

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung: AIX ist ein Unix Betriebssystem von IBM. IBM Virtual I/O Server (VIOS) bietet Virtualisierungsfunktionen.

Angriff: Ein entfernter anonymer oder authentisierter Angreifer kann mehrere Schwachstellen in IBM AIX und IBM VIOS ausnutzen, um Informationen offenzulegen, einen Denial-of-Service-Zustand zu verursachen oder eine Speicherbeschädigung durchzuführen.

Betroffene Betriebssysteme: - Sonstiges - UNIX

CVE-2024-47081

Affected products

Known affected 4 products

Product	Identifier	Version	Remediation
IBM VIOS 4.1 <python-3.9.24.0.tar.Z IBM / VIOS		4.1 <python-3.9.24.0.tar.Z
IBM VIOS 4.1 <python-3.11.14.0.tar.Z IBM / VIOS		4.1 <python-3.11.14.0.tar.Z
IBM AIX 7.3 <python-3.11.14.0.tar.Z IBM / AIX		7.3 <python-3.11.14.0.tar.Z
IBM AIX 7.3 <python-3.9.24.0.tar.Z IBM / AIX		7.3 <python-3.9.24.0.tar.Z

CVE-2024-5642

Affected products

Known affected 4 products

Product	Identifier	Version	Remediation
IBM VIOS 4.1 <python-3.9.24.0.tar.Z IBM / VIOS		4.1 <python-3.9.24.0.tar.Z
IBM VIOS 4.1 <python-3.11.14.0.tar.Z IBM / VIOS		4.1 <python-3.11.14.0.tar.Z
IBM AIX 7.3 <python-3.11.14.0.tar.Z IBM / AIX		7.3 <python-3.11.14.0.tar.Z
IBM AIX 7.3 <python-3.9.24.0.tar.Z IBM / AIX		7.3 <python-3.9.24.0.tar.Z

CVE-2025-59375

Affected products

Known affected 4 products

Product	Identifier	Version	Remediation
IBM VIOS 4.1 <python-3.9.24.0.tar.Z IBM / VIOS		4.1 <python-3.9.24.0.tar.Z
IBM VIOS 4.1 <python-3.11.14.0.tar.Z IBM / VIOS		4.1 <python-3.11.14.0.tar.Z
IBM AIX 7.3 <python-3.11.14.0.tar.Z IBM / AIX		7.3 <python-3.11.14.0.tar.Z
IBM AIX 7.3 <python-3.9.24.0.tar.Z IBM / AIX		7.3 <python-3.9.24.0.tar.Z

CVE-2025-6965

Affected products

Known affected 4 products

Product	Identifier	Version	Remediation
IBM VIOS 4.1 <python-3.9.24.0.tar.Z IBM / VIOS		4.1 <python-3.9.24.0.tar.Z
IBM VIOS 4.1 <python-3.11.14.0.tar.Z IBM / VIOS		4.1 <python-3.11.14.0.tar.Z
IBM AIX 7.3 <python-3.11.14.0.tar.Z IBM / AIX		7.3 <python-3.11.14.0.tar.Z
IBM AIX 7.3 <python-3.9.24.0.tar.Z IBM / AIX		7.3 <python-3.9.24.0.tar.Z

References

3 references

URL	Category
https://wid.cert-bund.de/.well-known/csaf/white/2…	self
https://wid.cert-bund.de/portal/wid/securityadvis…	self
https://www.ibm.com/support/pages/node/7251902	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "hoch"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "AIX ist ein Unix Betriebssystem von IBM.\r\nIBM Virtual I/O Server (VIOS) bietet Virtualisierungsfunktionen.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein entfernter anonymer oder authentisierter Angreifer kann mehrere Schwachstellen in IBM AIX und IBM VIOS ausnutzen, um Informationen offenzulegen, einen Denial-of-Service-Zustand zu verursachen oder eine Speicherbesch\u00e4digung durchzuf\u00fchren.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- Sonstiges\n- UNIX",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2025-2648 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2025/wid-sec-w-2025-2648.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2025-2648 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2025-2648"
      },
      {
        "category": "external",
        "summary": "IBM Security Bulletin vom 2025-11-19",
        "url": "https://www.ibm.com/support/pages/node/7251902"
      }
    ],
    "source_lang": "en-US",
    "title": "IBM AIX und VIOS: Mehrere Schwachstellen",
    "tracking": {
      "current_release_date": "2025-11-19T23:00:00.000+00:00",
      "generator": {
        "date": "2025-11-20T11:42:10.626+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.5.0"
        }
      },
      "id": "WID-SEC-W-2025-2648",
      "initial_release_date": "2025-11-19T23:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2025-11-19T23:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "7.3 \u003cpython-3.9.24.0.tar.Z",
                "product": {
                  "name": "IBM AIX 7.3 \u003cpython-3.9.24.0.tar.Z",
                  "product_id": "T048781"
                }
              },
              {
                "category": "product_version",
                "name": "7.3 python-3.9.24.0.tar.Z",
                "product": {
                  "name": "IBM AIX 7.3 python-3.9.24.0.tar.Z",
                  "product_id": "T048781-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:ibm:aix:7.3__python-3.9.24.0.tar.z"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "7.3 \u003cpython-3.11.14.0.tar.Z",
                "product": {
                  "name": "IBM AIX 7.3 \u003cpython-3.11.14.0.tar.Z",
                  "product_id": "T048782"
                }
              },
              {
                "category": "product_version",
                "name": "7.3 python-3.11.14.0.tar.Z",
                "product": {
                  "name": "IBM AIX 7.3 python-3.11.14.0.tar.Z",
                  "product_id": "T048782-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:ibm:aix:7.3__python-3.11.14.0.tar.z"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "AIX"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "4.1 \u003cpython-3.11.14.0.tar.Z",
                "product": {
                  "name": "IBM VIOS 4.1 \u003cpython-3.11.14.0.tar.Z",
                  "product_id": "T048783"
                }
              },
              {
                "category": "product_version",
                "name": "4.1 python-3.11.14.0.tar.Z",
                "product": {
                  "name": "IBM VIOS 4.1 python-3.11.14.0.tar.Z",
                  "product_id": "T048783-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:ibm:vios:4.1__python-3.11.14.0.tar.z"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "4.1 \u003cpython-3.9.24.0.tar.Z",
                "product": {
                  "name": "IBM VIOS 4.1 \u003cpython-3.9.24.0.tar.Z",
                  "product_id": "T048784"
                }
              },
              {
                "category": "product_version",
                "name": "4.1 python-3.9.24.0.tar.Z",
                "product": {
                  "name": "IBM VIOS 4.1 python-3.9.24.0.tar.Z",
                  "product_id": "T048784-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:ibm:vios:4.1__python-3.9.24.0.tar.z"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "VIOS"
          }
        ],
        "category": "vendor",
        "name": "IBM"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2024-47081",
      "product_status": {
        "known_affected": [
          "T048784",
          "T048783",
          "T048782",
          "T048781"
        ]
      },
      "release_date": "2025-11-19T23:00:00.000+00:00",
      "title": "CVE-2024-47081"
    },
    {
      "cve": "CVE-2024-5642",
      "product_status": {
        "known_affected": [
          "T048784",
          "T048783",
          "T048782",
          "T048781"
        ]
      },
      "release_date": "2025-11-19T23:00:00.000+00:00",
      "title": "CVE-2024-5642"
    },
    {
      "cve": "CVE-2025-59375",
      "product_status": {
        "known_affected": [
          "T048784",
          "T048783",
          "T048782",
          "T048781"
        ]
      },
      "release_date": "2025-11-19T23:00:00.000+00:00",
      "title": "CVE-2025-59375"
    },
    {
      "cve": "CVE-2025-6965",
      "product_status": {
        "known_affected": [
          "T048784",
          "T048783",
          "T048782",
          "T048781"
        ]
      },
      "release_date": "2025-11-19T23:00:00.000+00:00",
      "title": "CVE-2025-6965"
    }
  ]
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2024-5642 (GCVE-0-2024-5642)

WID-SEC-W-2025-2648

Tags

Sightings

Nomenclature