一、漏洞信息
漏洞编号：CVE-2022-42919
漏洞归属组件：scipy
漏洞归属的版本：1.5.4,1.7.0,>= 1.5.4
CVSS V3.0分值：
BaseScore：7.8 High
Vector：CVSS：3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
漏洞简述：
Python 3.9.x before 3.9.16 and 3.10.x before 3.10.9 on Linux allows local privilege escalation in a non-default configuration. The Python multiprocessing library, when used with the forkserver start method on Linux, allows pickles to be deserialized from any user in the same machine local network namespace, which in many system configurations means any user on the same machine. Pickles can execute arbitrary code. Thus, this allows for local user privilege escalation to the user that any forkserver process is running as. Setting multiprocessing.util.abstract_sockets_supported to False is a workaround. The forkserver start method for multiprocessing is not the default start method. This issue is Linux specific because only Linux supports abstract namespace sockets. CPython before 3.9 does not make use of Linux abstract namespace sockets by default. Support for users manually specifying an abstract namespace socket was added as a bugfix in 3.7.8 and 3.8.3, but users would need to make specific uncommon API calls in order to do that in CPython before 3.9.
漏洞公开时间：2022-11-07 08:15:09
漏洞创建时间：2024-03-23 18:35:20
漏洞详情参考链接：
https://nvd.nist.gov/vuln/detail/CVE-2022-42919

漏洞分析指导链接：
https://gitee.com/mindspore/community/blob/master/security/cve_issue_template.md
漏洞数据来源:
openBrain开源漏洞感知系统
漏洞补丁信息：

二、漏洞分析结构反馈
影响性分析说明：

MindSpore评分：

受影响版本排查(受影响/不受影响)：
1.master:
2.v0.5.0:
3.v2.0.0: