CVE-2020-15801

CRITICAL

Python < 3.7.9 - Untrusted Search Path

Title source: rule

Description

In Python 3.8.4, sys.path restrictions specified in a python38._pth file are ignored, allowing code to be loaded from arbitrary locations. The <executable-name>._pth file (e.g., the python._pth file) is not affected.

References (3)

[Issue Tracking, Patch, Vendor Advisory] https://bugs.python.org/issue41304

[Patch, Vendor Advisory] https://github.com/python/cpython/pull/21495

[Third Party Advisory] https://security.netapp.com/advisory/ntap-20200731-0003/

Scores

CVSS v3 9.8

EPSS 0.0062

EPSS Percentile 69.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Classification

CWE

CWE-426

Status published

Affected Products (2)

python/python < 3.7.9

netapp/max_data

Timeline

Published Jul 17, 2020

Tracked Since Feb 18, 2026