Vulnerability Exposure of CVE-2024-3220 #130514
Description
We have our IBM Traditional WebSphere Application Server using jython. The code of jython is taken from CPython. I would like to know regarding the vulnerability exposure of jython towards CVE-2024-3220.
I found a Python CVE to assess to determine if the Jython we use in tWAS 855 and 9.0 is vulnerable or not. The description of the CVE is as follows:
A flaw was found in the mimetypes standard library module for Python. On Windows systems, the default list of known file locations is writable, meaning other users can create invalid files to cause MemoryError to be raised on Python runtime startup or have file extensions be interpreted as the incorrect file type. This defect is caused by the default locations of Linux and macOS platforms (such as /etc/mime.types) also being used on Windows, where they are user-writable locations (C:\etc\mime.types).
https://access.redhat.com/security/cve/CVE-2024-3220
https://nvd.nist.gov/vuln/detail/CVE-2024-3220
I could see a work around addressing this in NVD link. To work-around this issue a user can call mimetypes.init() with an empty list (“[]”) on Windows platforms to avoid using the default list of known file locations.
I suspect jython is vulnerable since we use python. Do anyone have assessed this vulnerability and the level of its exposure ? And are we planning for a fix for this? Or is there any existing fix ?
Thanks in Advance