FKIE_CVE-2024-6232

Vulnerability from fkie_nvd - Published: 2024-09-03 13:15 - Updated: 2025-11-03 23:17
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
There is a MEDIUM severity vulnerability affecting CPython. Regular expressions that allowed excessive backtracking during tarfile.TarFile header parsing are vulnerable to ReDoS via specifically-crafted tar archives.
References
cna@python.orghttps://github.com/python/cpython/commit/34ddb64d088dd7ccc321f6103d23153256caa5d4Patch
cna@python.orghttps://github.com/python/cpython/commit/4eaf4891c12589e3c7bdad5f5b076e4c8392dd06Patch
cna@python.orghttps://github.com/python/cpython/commit/743acbe872485dc18df4d8ab2dc7895187f062c4Patch
cna@python.orghttps://github.com/python/cpython/commit/7d1f50cd92ff7e10a1c15a8f591dde8a6843a64dPatch
cna@python.orghttps://github.com/python/cpython/commit/b4225ca91547aa97ed3aca391614afbb255bc877Patch
cna@python.orghttps://github.com/python/cpython/commit/d449caf8a179e3b954268b3a88eb9170be3c8fbfPatch
cna@python.orghttps://github.com/python/cpython/commit/ed3a49ea734ada357ff4442996fd4ae71d253373Patch
cna@python.orghttps://github.com/python/cpython/issues/121285Exploit, Issue Tracking, Patch
cna@python.orghttps://github.com/python/cpython/pull/121286Issue Tracking, Patch
cna@python.orghttps://mail.python.org/archives/list/security-announce@python.org/thread/JRYFTPRHZRTLMZLWQEUHZSJXNHM4ACTY/Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108http://www.openwall.com/lists/oss-security/2024/09/03/5Mailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://lists.debian.org/debian-lts-announce/2024/12/msg00000.html
af854a3a-2127-422b-91ae-364da2661108https://security.netapp.com/advisory/ntap-20241018-0007/Third Party Advisory
Impacted products
Vendor Product Version
python python *
python python *
python python *
python python *
python python *
python python 3.13.0
python python 3.13.0
python python 3.13.0
python python 3.13.0
python python 3.13.0
python python 3.13.0
python python 3.13.0
python python 3.13.0
python python 3.13.0
python python 3.13.0
python python 3.13.0
python python 3.13.0
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:python:python:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "B475FA53-D1F3-44C8-80CD-0CEA88129109",
              "versionEndExcluding": "3.8.20",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:python:python:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "9365E878-106E-49B6-98FC-9FA339CD5216",
              "versionEndExcluding": "3.9.20",
              "versionStartIncluding": "3.9.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:python:python:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "BFD756EB-DF07-4485-A2AA-59FBD7260A21",
              "versionEndExcluding": "3.10.15",
              "versionStartIncluding": "3.10.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:python:python:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "9EE0E5D8-452F-4862-9C23-23AC1DDEFB1E",
              "versionEndExcluding": "3.11.10",
              "versionStartIncluding": "3.11.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:python:python:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "5D4E662B-59E4-495E-941E-2246D2168B42",
              "versionEndExcluding": "3.12.6",
              "versionStartIncluding": "3.12.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:python:python:3.13.0:alpha0:*:*:*:*:*:*",
              "matchCriteriaId": "3BA51E41-D221-431F-870F-536AF2867B50",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:python:python:3.13.0:alpha1:*:*:*:*:*:*",
              "matchCriteriaId": "978582FF-B8F3-479F-AE77-359E9AEE6F23",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:python:python:3.13.0:alpha2:*:*:*:*:*:*",
              "matchCriteriaId": "84E3F62C-7218-4DC3-8473-8A576739643A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:python:python:3.13.0:alpha3:*:*:*:*:*:*",
              "matchCriteriaId": "1FD15706-B8BC-4801-9F93-06771F2E12C1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:python:python:3.13.0:alpha4:*:*:*:*:*:*",
              "matchCriteriaId": "0FDC359F-E8ED-4777-83FB-1EC63F095CBF",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:python:python:3.13.0:alpha5:*:*:*:*:*:*",
              "matchCriteriaId": "6893BDDE-4D90-4592-8701-C6B3FFEB0CFE",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:python:python:3.13.0:alpha6:*:*:*:*:*:*",
              "matchCriteriaId": "E316F712-F03A-4378-8192-D1640819698B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:python:python:3.13.0:beta1:*:*:*:*:*:*",
              "matchCriteriaId": "8566F034-27CB-422E-950B-DCAA926CF64F",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:python:python:3.13.0:beta2:*:*:*:*:*:*",
              "matchCriteriaId": "EACCE6C3-7701-4966-9D88-E949C82FCA46",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:python:python:3.13.0:beta3:*:*:*:*:*:*",
              "matchCriteriaId": "A4853BF2-9C27-465F-9840-5B37013C9F74",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:python:python:3.13.0:beta4:*:*:*:*:*:*",
              "matchCriteriaId": "B266541A-E877-4CAD-A1EF-08A069441F36",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:python:python:3.13.0:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "8384A34C-50CD-439C-A2BB-DEA6161342C1",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "There is a MEDIUM severity vulnerability affecting CPython.\n\n\n\n\n\nRegular expressions that allowed excessive backtracking during tarfile.TarFile header parsing are vulnerable to ReDoS via specifically-crafted tar archives."
    },
    {
      "lang": "es",
      "value": "Existe una vulnerabilidad de gravedad MEDIA que afecta a CPython. Las expresiones regulares que permit\u00edan un retroceso excesivo durante el an\u00e1lisis de cabeceras tarfile.TarFile son vulnerables a ReDoS a trav\u00e9s de archivos tar manipulados espec\u00edficamente."
    }
  ],
  "id": "CVE-2024-6232",
  "lastModified": "2025-11-03T23:17:30.710",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "type": "Secondary"
      }
    ]
  },
  "published": "2024-09-03T13:15:05.363",
  "references": [
    {
      "source": "cna@python.org",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/python/cpython/commit/34ddb64d088dd7ccc321f6103d23153256caa5d4"
    },
    {
      "source": "cna@python.org",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/python/cpython/commit/4eaf4891c12589e3c7bdad5f5b076e4c8392dd06"
    },
    {
      "source": "cna@python.org",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/python/cpython/commit/743acbe872485dc18df4d8ab2dc7895187f062c4"
    },
    {
      "source": "cna@python.org",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/python/cpython/commit/7d1f50cd92ff7e10a1c15a8f591dde8a6843a64d"
    },
    {
      "source": "cna@python.org",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/python/cpython/commit/b4225ca91547aa97ed3aca391614afbb255bc877"
    },
    {
      "source": "cna@python.org",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/python/cpython/commit/d449caf8a179e3b954268b3a88eb9170be3c8fbf"
    },
    {
      "source": "cna@python.org",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/python/cpython/commit/ed3a49ea734ada357ff4442996fd4ae71d253373"
    },
    {
      "source": "cna@python.org",
      "tags": [
        "Exploit",
        "Issue Tracking",
        "Patch"
      ],
      "url": "https://github.com/python/cpython/issues/121285"
    },
    {
      "source": "cna@python.org",
      "tags": [
        "Issue Tracking",
        "Patch"
      ],
      "url": "https://github.com/python/cpython/pull/121286"
    },
    {
      "source": "cna@python.org",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://mail.python.org/archives/list/security-announce@python.org/thread/JRYFTPRHZRTLMZLWQEUHZSJXNHM4ACTY/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://www.openwall.com/lists/oss-security/2024/09/03/5"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.debian.org/debian-lts-announce/2024/12/msg00000.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://security.netapp.com/advisory/ntap-20241018-0007/"
    }
  ],
  "sourceIdentifier": "cna@python.org",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-1333"
        }
      ],
      "source": "cna@python.org",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-1333"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.