fkie_cve-2024-0450
Vulnerability from fkie_nvd
Published
2024-03-19 16:15
Modified
2024-11-21 08:46
Severity ?
6.2 (Medium) - CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
An issue was found in the CPython `zipfile` module affecting versions 3.12.1, 3.11.7, 3.10.13, 3.9.18, and 3.8.18 and prior. The zipfile module is vulnerable to “quoted-overlap” zip-bombs which exploit the zip format to create a zip-bomb with a high compression ratio. The fixed versions of CPython makes the zipfile module reject zip archives which overlap entries in the archive.
References
cna@python.orghttp://www.openwall.com/lists/oss-security/2024/03/20/5
cna@python.orghttps://github.com/python/cpython/commit/30fe5d853b56138dbec62432d370a1f99409fc85
cna@python.orghttps://github.com/python/cpython/commit/66363b9a7b9fe7c99eba3a185b74c5fdbf842eba
cna@python.orghttps://github.com/python/cpython/commit/70497218351ba44bffc8b571201ecb5652d84675
cna@python.orghttps://github.com/python/cpython/commit/a2c59992e9e8d35baba9695eb186ad6c6ff85c51
cna@python.orghttps://github.com/python/cpython/commit/a956e510f6336d5ae111ba429a61c3ade30a7549
cna@python.orghttps://github.com/python/cpython/commit/d05bac0b74153beb541b88b4fca33bf053990183
cna@python.orghttps://github.com/python/cpython/commit/fa181fcf2156f703347b03a3b1966ce47be8ab3b
cna@python.orghttps://github.com/python/cpython/issues/109858
cna@python.orghttps://lists.debian.org/debian-lts-announce/2024/03/msg00024.html
cna@python.orghttps://lists.debian.org/debian-lts-announce/2024/03/msg00025.html
cna@python.orghttps://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T3IGRX54M7RNCQOXVQO5KQKTGWCOABIM/
cna@python.orghttps://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U5VHWS52HGD743C47UMCSAK2A773M2YE/
cna@python.orghttps://mail.python.org/archives/list/security-announce@python.org/thread/XELNUX2L3IOHBTFU7RQHCY6OUVEWZ2FG/
cna@python.orghttps://www.bamsoftware.com/hacks/zipbomb/
af854a3a-2127-422b-91ae-364da2661108http://www.openwall.com/lists/oss-security/2024/03/20/5
af854a3a-2127-422b-91ae-364da2661108https://github.com/python/cpython/commit/30fe5d853b56138dbec62432d370a1f99409fc85
af854a3a-2127-422b-91ae-364da2661108https://github.com/python/cpython/commit/66363b9a7b9fe7c99eba3a185b74c5fdbf842eba
af854a3a-2127-422b-91ae-364da2661108https://github.com/python/cpython/commit/70497218351ba44bffc8b571201ecb5652d84675
af854a3a-2127-422b-91ae-364da2661108https://github.com/python/cpython/commit/a2c59992e9e8d35baba9695eb186ad6c6ff85c51
af854a3a-2127-422b-91ae-364da2661108https://github.com/python/cpython/commit/a956e510f6336d5ae111ba429a61c3ade30a7549
af854a3a-2127-422b-91ae-364da2661108https://github.com/python/cpython/commit/d05bac0b74153beb541b88b4fca33bf053990183
af854a3a-2127-422b-91ae-364da2661108https://github.com/python/cpython/commit/fa181fcf2156f703347b03a3b1966ce47be8ab3b
af854a3a-2127-422b-91ae-364da2661108https://github.com/python/cpython/issues/109858
af854a3a-2127-422b-91ae-364da2661108https://lists.debian.org/debian-lts-announce/2024/03/msg00024.html
af854a3a-2127-422b-91ae-364da2661108https://lists.debian.org/debian-lts-announce/2024/03/msg00025.html
af854a3a-2127-422b-91ae-364da2661108https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T3IGRX54M7RNCQOXVQO5KQKTGWCOABIM/
af854a3a-2127-422b-91ae-364da2661108https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U5VHWS52HGD743C47UMCSAK2A773M2YE/
af854a3a-2127-422b-91ae-364da2661108https://mail.python.org/archives/list/security-announce@python.org/thread/XELNUX2L3IOHBTFU7RQHCY6OUVEWZ2FG/
af854a3a-2127-422b-91ae-364da2661108https://www.bamsoftware.com/hacks/zipbomb/
Impacted products
Vendor Product Version


To clipboard 

{
   cveTags: [],
   descriptions: [
      {
         lang: "en",
         value: "An issue was found in the CPython `zipfile` module affecting versions 3.12.1, 3.11.7, 3.10.13, 3.9.18, and 3.8.18 and prior.\n\nThe zipfile module is vulnerable to “quoted-overlap” zip-bombs which exploit the zip format to create a zip-bomb with a high compression ratio. The fixed versions of CPython makes the zipfile module reject zip archives which overlap entries in the archive.\n\n",
      },
      {
         lang: "es",
         value: "Se encontró un problema en el módulo `zipfile` de CPython que afecta a las versiones 3.12.2, 3.11.8, 3.10.13, 3.9.18 y 3.8.18 y anteriores. El módulo zipfile es vulnerable a bombas zip \"superpuestas entre comillas\" que explotan el formato zip para crear una bomba zip con una alta relación de compresión. Las versiones fijas de CPython hacen que el módulo zipfile rechace archivos zip que se superponen con entradas en el archivo.",
      },
   ],
   id: "CVE-2024-0450",
   lastModified: "2024-11-21T08:46:37.017",
   metrics: {
      cvssMetricV31: [
         {
            cvssData: {
               attackComplexity: "LOW",
               attackVector: "LOCAL",
               availabilityImpact: "HIGH",
               baseScore: 6.2,
               baseSeverity: "MEDIUM",
               confidentialityImpact: "NONE",
               integrityImpact: "NONE",
               privilegesRequired: "NONE",
               scope: "UNCHANGED",
               userInteraction: "NONE",
               vectorString: "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
               version: "3.1",
            },
            exploitabilityScore: 2.5,
            impactScore: 3.6,
            source: "cna@python.org",
            type: "Secondary",
         },
      ],
   },
   published: "2024-03-19T16:15:09.180",
   references: [
      {
         source: "cna@python.org",
         url: "http://www.openwall.com/lists/oss-security/2024/03/20/5",
      },
      {
         source: "cna@python.org",
         url: "https://github.com/python/cpython/commit/30fe5d853b56138dbec62432d370a1f99409fc85",
      },
      {
         source: "cna@python.org",
         url: "https://github.com/python/cpython/commit/66363b9a7b9fe7c99eba3a185b74c5fdbf842eba",
      },
      {
         source: "cna@python.org",
         url: "https://github.com/python/cpython/commit/70497218351ba44bffc8b571201ecb5652d84675",
      },
      {
         source: "cna@python.org",
         url: "https://github.com/python/cpython/commit/a2c59992e9e8d35baba9695eb186ad6c6ff85c51",
      },
      {
         source: "cna@python.org",
         url: "https://github.com/python/cpython/commit/a956e510f6336d5ae111ba429a61c3ade30a7549",
      },
      {
         source: "cna@python.org",
         url: "https://github.com/python/cpython/commit/d05bac0b74153beb541b88b4fca33bf053990183",
      },
      {
         source: "cna@python.org",
         url: "https://github.com/python/cpython/commit/fa181fcf2156f703347b03a3b1966ce47be8ab3b",
      },
      {
         source: "cna@python.org",
         url: "https://github.com/python/cpython/issues/109858",
      },
      {
         source: "cna@python.org",
         url: "https://lists.debian.org/debian-lts-announce/2024/03/msg00024.html",
      },
      {
         source: "cna@python.org",
         url: "https://lists.debian.org/debian-lts-announce/2024/03/msg00025.html",
      },
      {
         source: "cna@python.org",
         url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T3IGRX54M7RNCQOXVQO5KQKTGWCOABIM/",
      },
      {
         source: "cna@python.org",
         url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U5VHWS52HGD743C47UMCSAK2A773M2YE/",
      },
      {
         source: "cna@python.org",
         url: "https://mail.python.org/archives/list/security-announce@python.org/thread/XELNUX2L3IOHBTFU7RQHCY6OUVEWZ2FG/",
      },
      {
         source: "cna@python.org",
         url: "https://www.bamsoftware.com/hacks/zipbomb/",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         url: "http://www.openwall.com/lists/oss-security/2024/03/20/5",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         url: "https://github.com/python/cpython/commit/30fe5d853b56138dbec62432d370a1f99409fc85",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         url: "https://github.com/python/cpython/commit/66363b9a7b9fe7c99eba3a185b74c5fdbf842eba",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         url: "https://github.com/python/cpython/commit/70497218351ba44bffc8b571201ecb5652d84675",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         url: "https://github.com/python/cpython/commit/a2c59992e9e8d35baba9695eb186ad6c6ff85c51",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         url: "https://github.com/python/cpython/commit/a956e510f6336d5ae111ba429a61c3ade30a7549",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         url: "https://github.com/python/cpython/commit/d05bac0b74153beb541b88b4fca33bf053990183",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         url: "https://github.com/python/cpython/commit/fa181fcf2156f703347b03a3b1966ce47be8ab3b",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         url: "https://github.com/python/cpython/issues/109858",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         url: "https://lists.debian.org/debian-lts-announce/2024/03/msg00024.html",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         url: "https://lists.debian.org/debian-lts-announce/2024/03/msg00025.html",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T3IGRX54M7RNCQOXVQO5KQKTGWCOABIM/",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         url: "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U5VHWS52HGD743C47UMCSAK2A773M2YE/",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         url: "https://mail.python.org/archives/list/security-announce@python.org/thread/XELNUX2L3IOHBTFU7RQHCY6OUVEWZ2FG/",
      },
      {
         source: "af854a3a-2127-422b-91ae-364da2661108",
         url: "https://www.bamsoftware.com/hacks/zipbomb/",
      },
   ],
   sourceIdentifier: "cna@python.org",
   vulnStatus: "Awaiting Analysis",
   weaknesses: [
      {
         description: [
            {
               lang: "en",
               value: "CWE-405",
            },
         ],
         source: "cna@python.org",
         type: "Secondary",
      },
   ],
}


Log in or create an account to share your comment.

Security Advisory comment format.

This schema specifies the format of a comment related to a security advisory.

UUIDv4 of the comment
UUIDv4 of the Vulnerability-Lookup instance
When the comment was created originally
When the comment was last updated
Title of the comment
Description of the comment
The identifier of the vulnerability (CVE ID, GHSA-ID, PYSEC ID, etc.).



Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.