Member-only story
Understanding Python 2 Vulnerabilities
Introduction
The Python Programming Foundation has issued a statement announcing that they have chosen to retire Python2 on January 1, 2020, effective immediately.
Furthermore, they stated that “if you require assistance with Python 2 software, many volunteers will be happy to assist you, but with time, the number of volunteers who are willing to assist you will diminish.” It will be explored in detail in this blog post what the causes were, what the security consequences were, and what security flaws were discovered and exploited.
The final version of Python 2.0 was released on October 16, 2000. Since then, the Python Programming Foundation has constantly been rolling out updates, adding features and making big changes in the programming language. In 2006 they came up with Python 3.0, but by then most people had already developed a taste of Python 2. Many did not consider upgrading to Python 3.0 so they worked both on Python 2 and Python 3.
Even though Python 2 is no longer receiving official support, we can’t ignore the fact that the vast majority of commercial applications are still developed in Python2 and that the vast majority of organizations have no plans to switch to Python3. The majority of the repositories on GitHub are written in Python2, and the vast majority of packages are available for Python2. When was the last time you used pip3 instead of pip to install a package that you liked?
As of now, there are a total of 85 vulnerabilities listed in Python2 and Python3. A curated list of all those vulnerabilities can be found here. The vulnerabilities were found in the Python core and the packages. While most of them might not have a publicly available exploit and it works quite well in the favour of many companies using vulnerable components.
In this blog post, we’ll be discussing a vulnerability in Python2 that can be used to disclose sensitive values and eventually lead to bypassing of critical checks.
Vulnerabilities in python2
