{"id":"CVE-2023-6507","details":"An issue was found in CPython 3.12.0 `subprocess` module on POSIX platforms. The issue was fixed in CPython 3.12.1 and does not affect other stable releases.\n\nWhen using the `extra_groups=` parameter with an empty list as a value (ie `extra_groups=[]`) the logic regressed to not call `setgroups(0, NULL)` before calling `exec()`, thus not dropping the original processes' groups before starting the new process. There is no issue when the parameter isn't used or when any value is used besides an empty list.\n\nThis issue only impacts CPython processes run with sufficient privilege to make the `setgroups` system call (typically `root`).\n\n","aliases":["BIT-libpython-2023-6507","BIT-python-2023-6507","BIT-python-min-2023-6507","PSF-2023-12","PSF-CVE-2023-6507"],"modified":"2026-04-12T08:23:29.909025Z","published":"2023-12-08T19:15:08.440Z","related":["openSUSE-SU-2024:13511-1"],"references":[{"type":"ADVISORY","url":"https://mail.python.org/archives/list/security-announce@python.org/thread/AUL7QFHBLILGISS7U63B47AYSSGJJQZD/"},{"type":"FIX","url":"https://github.com/python/cpython/commit/85bbfa8a4bbdbb61a3a84fbd7cb29a4096ab8a06"},{"type":"FIX","url":"https://github.com/python/cpython/commit/9fe7655c6ce0b8e9adc229daf681b6d30e6b1610"},{"type":"FIX","url":"https://github.com/python/cpython/issues/112334"},{"type":"FIX","url":"https://github.com/python/cpython/commit/10e9bb13b8dcaa414645b9bd10718d8f7179e82b"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/python/cpython","events":[{"introduced":"0"},{"last_affected":"0fb18b02c8ad56299d6a2910be0bab8ad601ef24"},{"fixed":"10e9bb13b8dcaa414645b9bd10718d8f7179e82b"},{"fixed":"85bbfa8a4bbdbb61a3a84fbd7cb29a4096ab8a06"},{"fixed":"9fe7655c6ce0b8e9adc229daf681b6d30e6b1610"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"3.12.0-NA"}]}}],"versions":["v0.9.8","v0.9.9","v1.0.1","v1.0.2","v1.1","v1.1.1","v1.2","v1.2b1","v1.2b2","v1.2b3","v1.2b4","v1.3","v1.3b1","v1.4","v1.4b1","v1.4b2","v1.4b3","v1.5","v1.5.1","v1.5.2","v1.5.2a1","v1.5.2a2","v1.5.2b1","v1.5.2b2","v1.5.2c1","v1.5a1","v1.5a2","v1.5a3","v1.5a4","v1.5b1","v1.5b2","v1.6a1","v1.6a2","v2.0","v2.0b1","v2.0b2","v2.0c1","v2.1","v2.1a1","v2.1a2","v2.1b1","v2.1b2","v2.1c1","v2.1c2","v2.2a3","v2.3c1","v2.3c2","v2.4","v2.4a1","v2.4a2","v2.4a3","v2.4b1","v2.4b2","v2.4c1","v3.0a1","v3.0a2","v3.0a3","v3.0a4","v3.0a5","v3.0b1","v3.0b2","v3.0b3","v3.0rc1","v3.0rc2","v3.0rc3","v3.1","v3.10.0a1","v3.10.0a7","v3.11.0a3","v3.11.0a4","v3.11.0a5","v3.11.0a6","v3.11.0a7","v3.11.0b1","v3.12.0","v3.12.0a1","v3.12.0a2","v3.12.0a3","v3.12.0a4","v3.12.0a5","v3.12.0a6","v3.12.0a7","v3.12.0b1","v3.12.0b2","v3.12.0b3","v3.12.0b4","v3.12.0rc1","v3.12.0rc2","v3.12.0rc3","v3.13.0a1","v3.13.0a2","v3.1a1","v3.1a2","v3.1b1","v3.1rc1","v3.1rc2","v3.2a1","v3.2a2","v3.2a3","v3.2a4","v3.2b1","v3.2b2","v3.2rc1","v3.2rc2","v3.2rc3","v3.3.0a2","v3.3.0a3","v3.3.0a4","v3.3.0b1","v3.3.0b2","v3.3.0rc1","v3.3.0rc2","v3.3.0rc3","v3.4.0a1","v3.4.0a2","v3.4.0a3","v3.4.0a4","v3.4.0b1","v3.4.0b2","v3.4.0b3","v3.5.0a1","v3.5.0a2","v3.5.0a3","v3.5.0a4","v3.5.0b1","v3.6.0a3","v3.6.0b1","v3.7.0a2","v3.9.0a2"],"database_specific":{"vanir_signatures":[{"signature_version":"v1","id":"CVE-2023-6507-1ca77386","deprecated":false,"target":{"file":"Modules/_posixsubprocess.c"},"signature_type":"Line","digest":{"line_hashes":["189411318785850568298533576954283130376","211792046633170116419359087188057175268","64397199614536702134583914944910092511","88621379523515045929211927540840271876","240123142396219197878374763112592446413","320889104691819057095717797337483078805","65515302783531606825779168779461923178","307488279758457837705587482108685133220","91803463576764163712498933663670892376","200443514168655596833241232262831404668","130494942091716593398144113029822445450","34151014721715540780753740715808088251"],"threshold":0.9},"source":"https://github.com/python/cpython/commit/9fe7655c6ce0b8e9adc229daf681b6d30e6b1610"},{"signature_version":"v1","id":"CVE-2023-6507-49279a84","deprecated":false,"target":{"function":"subprocess_fork_exec_impl","file":"Modules/_posixsubprocess.c"},"signature_type":"Function","digest":{"length":5002,"function_hash":"45995096709570668763512622662490141621"},"source":"https://github.com/python/cpython/commit/9fe7655c6ce0b8e9adc229daf681b6d30e6b1610"},{"signature_version":"v1","id":"CVE-2023-6507-85e58e5d","deprecated":false,"target":{"file":"Modules/_posixsubprocess.c"},"signature_type":"Line","digest":{"line_hashes":["189411318785850568298533576954283130376","211792046633170116419359087188057175268","64397199614536702134583914944910092511","88621379523515045929211927540840271876","240123142396219197878374763112592446413","320889104691819057095717797337483078805","65515302783531606825779168779461923178","307488279758457837705587482108685133220","91803463576764163712498933663670892376","200443514168655596833241232262831404668","130494942091716593398144113029822445450","34151014721715540780753740715808088251"],"threshold":0.9},"source":"https://github.com/python/cpython/commit/85bbfa8a4bbdbb61a3a84fbd7cb29a4096ab8a06"},{"signature_version":"v1","id":"CVE-2023-6507-e4dc8630","deprecated":false,"target":{"function":"subprocess_fork_exec_impl","file":"Modules/_posixsubprocess.c"},"signature_type":"Function","digest":{"length":5002,"function_hash":"45995096709570668763512622662490141621"},"source":"https://github.com/python/cpython/commit/85bbfa8a4bbdbb61a3a84fbd7cb29a4096ab8a06"}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-6507.json","unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"3.13.0-alpha1"}]},{"events":[{"introduced":"0"},{"last_affected":"3.13.0-alpha2"}]}],"vanir_signatures_modified":"2026-04-12T08:23:29Z"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N"}]}