CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
AI Score
Confidence
Low
SSVC
Exploitation
poc
Automatable
no
Technical Impact
partial
An issue was found in the CPython zipfile
module affecting versions 3.12.1, 3.11.7, 3.10.13, 3.9.18, and 3.8.18 and prior.
The zipfile module is vulnerable to “quoted-overlap” zip-bombs which exploit the zip format to create a zip-bomb with a high compression ratio. The fixed versions of CPython makes the zipfile module reject zip archives which overlap entries in the archive.
[
{
"repo": "https://github.com/python/cpython",
"vendor": "Python Software Foundation",
"product": "CPython",
"versions": [
{
"status": "affected",
"version": "0",
"lessThan": "3.8.19",
"versionType": "python"
},
{
"status": "affected",
"version": "3.9.0",
"lessThan": "3.9.19",
"versionType": "python"
},
{
"status": "affected",
"version": "3.10.0",
"lessThan": "3.10.14",
"versionType": "python"
},
{
"status": "affected",
"version": "3.11.0",
"lessThan": "3.11.8",
"versionType": "python"
},
{
"status": "affected",
"version": "3.12.0",
"lessThan": "3.12.2",
"versionType": "python"
},
{
"status": "affected",
"version": "3.13.0a1",
"lessThan": "3.13.0a3",
"versionType": "python"
}
],
"defaultStatus": "unaffected"
}
]
[
{
"cpes": [
"cpe:2.3:a:python:cpython:*:*:*:*:*:*:*:*"
],
"vendor": "python",
"product": "cpython",
"versions": [
{
"status": "affected",
"version": "0",
"lessThan": "3.8.18",
"versionType": "custom"
},
{
"status": "affected",
"version": "3.9.18"
},
{
"status": "affected",
"version": "3.10.13"
},
{
"status": "affected",
"version": "3.11.7"
},
{
"status": "affected",
"version": "3.12.1"
}
],
"defaultStatus": "unknown"
}
]
www.openwall.com/lists/oss-security/2024/03/20/5
github.com/python/cpython/commit/30fe5d853b56138dbec62432d370a1f99409fc85
github.com/python/cpython/commit/66363b9a7b9fe7c99eba3a185b74c5fdbf842eba
github.com/python/cpython/commit/70497218351ba44bffc8b571201ecb5652d84675
github.com/python/cpython/commit/a2c59992e9e8d35baba9695eb186ad6c6ff85c51
github.com/python/cpython/commit/a956e510f6336d5ae111ba429a61c3ade30a7549
github.com/python/cpython/commit/d05bac0b74153beb541b88b4fca33bf053990183
github.com/python/cpython/commit/fa181fcf2156f703347b03a3b1966ce47be8ab3b
github.com/python/cpython/issues/109858
lists.debian.org/debian-lts-announce/2024/03/msg00024.html
lists.debian.org/debian-lts-announce/2024/03/msg00025.html
lists.fedoraproject.org/archives/list/[email protected]/message/T3IGRX54M7RNCQOXVQO5KQKTGWCOABIM/
lists.fedoraproject.org/archives/list/[email protected]/message/U5VHWS52HGD743C47UMCSAK2A773M2YE/
mail.python.org/archives/list/[email protected]/thread/XELNUX2L3IOHBTFU7RQHCY6OUVEWZ2FG/
www.bamsoftware.com/hacks/zipbomb/
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
AI Score
Confidence
Low
SSVC
Exploitation
poc
Automatable
no
Technical Impact
partial