Miggo Logo

CVE-2019-19275: typed-ast Out-of-bounds Read

7.5

CVSS Score
3.1

Basic Information

EPSS Score
0.79282%
Published
12/2/2019
Updated
11/18/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
typed-astpip>= 1.3.0, <= 1.3.11.3.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from two locations in Python/ast.c where array index bounds checks were missing after incrementing the index. The commit a4d7836 in CPython and dc317ac in typed_ast explicitly add 'i < NCH(n)' checks in these functions to prevent OOB reads. Both functions are directly referenced in the CVE description and patch diffs, with the vulnerability manifesting when parsing malformed argument lists.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

typ**_*st *.*.* *n* *.*.* **s *n *st_*or_*r*um*nts out-o*-*oun*s r***. *n *tt**k*r wit* t** **ility to **us* * Pyt*on int*rpr*t*r to p*rs* Pyt*on sour** (*ut not n***ss*rily *x**ut* it) m*y ** **l* to *r*s* t** int*rpr*t*r pro**ss. T*is *oul* ** * *o

Reasoning

T** vuln*r**ility st*ms *rom two lo**tions in `Pyt*on/*st.*` w**r* *rr*y in**x *oun*s ****ks w*r* missin* **t*r in*r*m*ntin* t** in**x. T** *ommit `*******` in `*Pyt*on` *n* `*******` in `typ**_*st` *xpli*itly *** `'i < N**(n)'` ****ks in t**s* *un*t