Lucene search

K
cveMitreCVE-2022-45061
HistoryNov 09, 2022 - 7:15 a.m.

CVE-2022-45061

2022-11-0907:15:09
CWE-407
mitre
web.nvd.nist.gov
391
4
python
idna
cpu denial of service
cve-2022-45061
security vulnerability
fix

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

AI Score

7.7

Confidence

High

EPSS

0.008

Percentile

81.5%

An issue was discovered in Python before 3.11.1. An unnecessary quadratic algorithm exists in one path when processing some inputs to the IDNA (RFC 3490) decoder, such that a crafted, unreasonably long name being presented to the decoder could lead to a CPU denial of service. Hostnames are often supplied by remote servers that could be controlled by a malicious actor; in such a scenario, they could trigger excessive CPU consumption on the client attempting to make use of an attacker-supplied supposed hostname. For example, the attack payload could be placed in the Location header of an HTTP response with status code 302. A fix is planned in 3.11.1, 3.10.9, 3.9.16, 3.8.16, and 3.7.16.

Affected configurations

Nvd
Node
pythonpythonRange3.7.15
OR
pythonpythonRange3.8.03.8.15
OR
pythonpythonRange3.9.03.9.15
OR
pythonpythonRange3.10.03.10.8
OR
pythonpythonMatch3.11.0-
OR
pythonpythonMatch3.11.0alpha1
OR
pythonpythonMatch3.11.0alpha2
OR
pythonpythonMatch3.11.0alpha3
OR
pythonpythonMatch3.11.0alpha4
OR
pythonpythonMatch3.11.0alpha5
OR
pythonpythonMatch3.11.0alpha6
OR
pythonpythonMatch3.11.0alpha7
OR
pythonpythonMatch3.11.0beta1
OR
pythonpythonMatch3.11.0beta2
OR
pythonpythonMatch3.11.0beta3
OR
pythonpythonMatch3.11.0beta4
OR
pythonpythonMatch3.11.0beta5
OR
pythonpythonMatch3.11.0rc1
OR
pythonpythonMatch3.11.0rc2
Node
fedoraprojectfedoraMatch35
OR
fedoraprojectfedoraMatch36
OR
fedoraprojectfedoraMatch37
Node
netappactive_iq_unified_managerMatch-vmware_vsphere
OR
netappactive_iq_unified_managerMatch-windows
OR
netappe-series_performance_analyzerMatch-
OR
netappelement_softwareMatch-
OR
netapphciMatch-
OR
netappmanagement_services_for_element_softwareMatch-
OR
netappontap_select_deploy_administration_utilityMatch-
Node
netappbootstrap_osMatch-
AND
netapphci_compute_nodeMatch-
VendorProductVersionCPE
pythonpython*cpe:2.3:a:python:python:*:*:*:*:*:*:*:*
pythonpython3.11.0cpe:2.3:a:python:python:3.11.0:-:*:*:*:*:*:*
pythonpython3.11.0cpe:2.3:a:python:python:3.11.0:alpha1:*:*:*:*:*:*
pythonpython3.11.0cpe:2.3:a:python:python:3.11.0:alpha2:*:*:*:*:*:*
pythonpython3.11.0cpe:2.3:a:python:python:3.11.0:alpha3:*:*:*:*:*:*
pythonpython3.11.0cpe:2.3:a:python:python:3.11.0:alpha4:*:*:*:*:*:*
pythonpython3.11.0cpe:2.3:a:python:python:3.11.0:alpha5:*:*:*:*:*:*
pythonpython3.11.0cpe:2.3:a:python:python:3.11.0:alpha6:*:*:*:*:*:*
pythonpython3.11.0cpe:2.3:a:python:python:3.11.0:alpha7:*:*:*:*:*:*
pythonpython3.11.0cpe:2.3:a:python:python:3.11.0:beta1:*:*:*:*:*:*
Rows per page:
1-10 of 281

References

Social References

More

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

AI Score

7.7

Confidence

High

EPSS

0.008

Percentile

81.5%