All the vulnerabilites related to Kludex - python-multipart
cve-2024-24762
Vulnerability from cvelistv5
Published
2024-02-05 14:33
Modified
2024-08-01 23:28
Summary
python-multipart vulnerable to content-type header Regular expression Denial of Service
Impacted products
Show details on NVD website


{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-01T23:28:11.928Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "https://github.com/Kludex/python-multipart/security/advisories/GHSA-2jv5-9r88-3w3p",
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/Kludex/python-multipart/security/advisories/GHSA-2jv5-9r88-3w3p"
          },
          {
            "name": "https://github.com/Kludex/python-multipart/commit/20f0ef6b4e4caf7d69a667c54dff57fe467109a4",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/Kludex/python-multipart/commit/20f0ef6b4e4caf7d69a667c54dff57fe467109a4"
          },
          {
            "name": "https://github.com/tiangolo/fastapi/security/advisories/GHSA-qf9m-vfgh-m389",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/tiangolo/fastapi/security/advisories/GHSA-qf9m-vfgh-m389"
          },
          {
            "name": "https://github.com/encode/starlette/security/advisories/GHSA-93gm-qmq6-w238",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/encode/starlette/security/advisories/GHSA-93gm-qmq6-w238"
          },
          {
            "name": "https://github.com/andrew-d/python-multipart/blob/d3d16dae4b061c34fe9d3c9081d9800c49fc1f7a/multipart/multipart.py#L72-L74",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/andrew-d/python-multipart/blob/d3d16dae4b061c34fe9d3c9081d9800c49fc1f7a/multipart/multipart.py#L72-L74"
          },
          {
            "name": "https://github.com/encode/starlette/commit/13e5c26a27f4903924624736abd6131b2da80cc5",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/encode/starlette/commit/13e5c26a27f4903924624736abd6131b2da80cc5"
          },
          {
            "name": "https://github.com/tiangolo/fastapi/commit/9d34ad0ee8a0dfbbcce06f76c2d5d851085024fc",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/tiangolo/fastapi/commit/9d34ad0ee8a0dfbbcce06f76c2d5d851085024fc"
          },
          {
            "name": "https://github.com/tiangolo/fastapi/releases/tag/0.109.1",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/tiangolo/fastapi/releases/tag/0.109.1"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://github.com/Kludex/python-multipart",
          "defaultStatus": "unaffected",
          "packageName": "python-multipart",
          "product": "python-multipart",
          "repo": "https://github.com/Kludex/python-multipart",
          "vendor": "Kludex",
          "versions": [
            {
              "lessThan": "0.0.7",
              "status": "affected",
              "version": "0",
              "versionType": "affected"
            }
          ]
        },
        {
          "collectionURL": "https://github.com/tiangolo/fastapi",
          "defaultStatus": "unaffected",
          "packageName": "fastapi",
          "product": "fastapi",
          "repo": "https://github.com/tiangolo/fastapi",
          "vendor": "tiangolo",
          "versions": [
            {
              "lessThan": "0.109.1",
              "status": "affected",
              "version": "0",
              "versionType": "affected"
            }
          ]
        },
        {
          "collectionURL": "https://github.com/encode/starlette",
          "defaultStatus": "unaffected",
          "packageName": "startlette",
          "product": "starlette",
          "repo": "https://github.com/encode/starlette",
          "vendor": "encode",
          "versions": [
            {
              "lessThan": "0.36.2",
              "status": "affected",
              "version": "0",
              "versionType": "affected"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "`python-multipart` is a streaming multipart parser for Python. When using form data, `python-multipart` uses a Regular Expression to parse the HTTP `Content-Type` header, including options. An attacker could send a custom-made `Content-Type` option that is very difficult for the RegEx to process, consuming CPU resources and stalling indefinitely (minutes or more) while holding the main event loop. This means that process can\u0027t handle any more requests, leading to regular expression denial of service. This vulnerability has been patched in version 0.0.7."
            }
          ],
          "value": "`python-multipart` is a streaming multipart parser for Python. When using form data, `python-multipart` uses a Regular Expression to parse the HTTP `Content-Type` header, including options. An attacker could send a custom-made `Content-Type` option that is very difficult for the RegEx to process, consuming CPU resources and stalling indefinitely (minutes or more) while holding the main event loop. This means that process can\u0027t handle any more requests, leading to regular expression denial of service. This vulnerability has been patched in version 0.0.7."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-400",
              "description": "CWE-400 Uncontrolled Resource Consumption",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-02-17T01:54:29.017Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/Kludex/python-multipart/security/advisories/GHSA-2jv5-9r88-3w3p",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/Kludex/python-multipart/security/advisories/GHSA-2jv5-9r88-3w3p"
        },
        {
          "name": "https://github.com/Kludex/python-multipart/commit/20f0ef6b4e4caf7d69a667c54dff57fe467109a4",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/Kludex/python-multipart/commit/20f0ef6b4e4caf7d69a667c54dff57fe467109a4"
        },
        {
          "name": "https://github.com/tiangolo/fastapi/security/advisories/GHSA-qf9m-vfgh-m389",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/tiangolo/fastapi/security/advisories/GHSA-qf9m-vfgh-m389"
        },
        {
          "name": "https://github.com/encode/starlette/security/advisories/GHSA-93gm-qmq6-w238",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/encode/starlette/security/advisories/GHSA-93gm-qmq6-w238"
        },
        {
          "name": "https://github.com/andrew-d/python-multipart/blob/d3d16dae4b061c34fe9d3c9081d9800c49fc1f7a/multipart/multipart.py#L72-L74",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/andrew-d/python-multipart/blob/d3d16dae4b061c34fe9d3c9081d9800c49fc1f7a/multipart/multipart.py#L72-L74"
        },
        {
          "name": "https://github.com/encode/starlette/commit/13e5c26a27f4903924624736abd6131b2da80cc5",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/encode/starlette/commit/13e5c26a27f4903924624736abd6131b2da80cc5"
        },
        {
          "name": "https://github.com/tiangolo/fastapi/commit/9d34ad0ee8a0dfbbcce06f76c2d5d851085024fc",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/tiangolo/fastapi/commit/9d34ad0ee8a0dfbbcce06f76c2d5d851085024fc"
        },
        {
          "name": "https://github.com/tiangolo/fastapi/releases/tag/0.109.1",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/tiangolo/fastapi/releases/tag/0.109.1"
        }
      ],
      "source": {
        "advisory": "GHSA-2jv5-9r88-3w3p",
        "discovery": "UNKNOWN"
      },
      "title": "python-multipart vulnerable to content-type header Regular expression Denial of Service",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2024-24762",
    "datePublished": "2024-02-05T14:33:06.481Z",
    "dateReserved": "2024-01-29T20:51:26.011Z",
    "dateUpdated": "2024-08-01T23:28:11.928Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}