Lucene search

K

GoogleOSV:PSF-2024-2

HistoryMar 19, 2024 - 3:12 p.m.

PSF-2024-2

2024-03-1915:12:07

Google

osv.dev

9

cpython

zipfile module

vulnerability

zip-bombs

compression ratio

fixed versions

6.2 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

7 High

AI Score

Confidence

Low

0.0005 Low

EPSS

Percentile

17.2%

An issue was found in the CPython zipfile module affecting versions 3.12.1, 3.11.7, 3.10.13, 3.9.18, and 3.8.18 and prior.

The zipfile module is vulnerable to “quoted-overlap” zip-bombs which exploit the zip format to create a zip-bomb with a high compression ratio. The fixed versions of CPython makes the zipfile module reject zip archives which overlap entries in the archive.

CPENameOperatorVersion
cpythoneq2.5.2
cpythoneq3.0rc1
cpythoneq3.8.8
cpythoneq3.11.2
cpythoneq3.10.2
cpythoneq3.9.0b4
cpythoneq3.2b2
cpythoneq1.5
cpythoneq3.5.0a3
cpythoneq3.9.0a2

Rows per page:

1-10 of 3881

References

www.openwall.com/lists/oss-security/2024/03/20/5

github.com/python/cpython/commit/30fe5d853b56138dbec62432d370a1f99409fc85

github.com/python/cpython/commit/66363b9a7b9fe7c99eba3a185b74c5fdbf842eba

github.com/python/cpython/commit/70497218351ba44bffc8b571201ecb5652d84675

github.com/python/cpython/commit/a2c59992e9e8d35baba9695eb186ad6c6ff85c51

github.com/python/cpython/commit/a956e510f6336d5ae111ba429a61c3ade30a7549

github.com/python/cpython/commit/d05bac0b74153beb541b88b4fca33bf053990183

github.com/python/cpython/commit/fa181fcf2156f703347b03a3b1966ce47be8ab3b

github.com/python/cpython/issues/109858

lists.debian.org/debian-lts-announce/2024/03/msg00024.html

lists.debian.org/debian-lts-announce/2024/03/msg00025.html

lists.fedoraproject.org/archives/list/[email protected]/message/T3IGRX54M7RNCQOXVQO5KQKTGWCOABIM/

lists.fedoraproject.org/archives/list/[email protected]/message/U5VHWS52HGD743C47UMCSAK2A773M2YE/

mail.python.org/archives/list/[email protected]/thread/XELNUX2L3IOHBTFU7RQHCY6OUVEWZ2FG/

www.bamsoftware.com/hacks/zipbomb/

6.2 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

7 High

AI Score

Confidence

Low

0.0005 Low

EPSS

Percentile

17.2%

Related for OSV:PSF-2024-2

nessus34 cve1 osv10 debiancve1 ubuntucve1 cbl_mariner1 ibm1 aix1 debian2 redhatcve1 cvelist1 openvas19 veracode1 wolfi1 cgr1 amazon1 nvd1 alpinelinux1 mageia1 almalinux4 redhat4 fedora2 oraclelinux4 rocky2 slackware1 gentoo1