ghsa-jm46-725r-hh9v
Vulnerability from github
Published
2024-03-19 18:31
Modified
2024-03-25 00:30
Severity ?
6.2 (Medium) - CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Details

An issue was found in the CPython zipfile module affecting versions 3.12.2, 3.11.8, 3.10.13, 3.9.18, and 3.8.18 and prior.

The zipfile module is vulnerable to “quoted-overlap” zip-bombs which exploit the zip format to create a zip-bomb with a high compression ratio. The fixed versions of CPython makes the zipfile module reject zip archives which overlap entries in the archive.

Show details on source website

To clipboard 

{
   affected: [],
   aliases: [
      "CVE-2024-0450",
   ],
   database_specific: {
      cwe_ids: [
         "CWE-405",
      ],
      github_reviewed: false,
      github_reviewed_at: null,
      nvd_published_at: "2024-03-19T16:15:09Z",
      severity: "MODERATE",
   },
   details: "An issue was found in the CPython `zipfile` module affecting versions 3.12.2, 3.11.8, 3.10.13, 3.9.18, and 3.8.18 and prior.\n\nThe zipfile module is vulnerable to “quoted-overlap” zip-bombs which exploit the zip format to create a zip-bomb with a high compression ratio. The fixed versions of CPython makes the zipfile module reject zip archives which overlap entries in the archive.\n\n",
   id: "GHSA-jm46-725r-hh9v",
   modified: "2024-03-25T00:30:30Z",
   published: "2024-03-19T18:31:59Z",
   references: [
      {
         type: "ADVISORY",
         url: "https://nvd.nist.gov/vuln/detail/CVE-2024-0450",
      },
      {
         type: "WEB",
         url: "https://github.com/python/cpython/issues/109858",
      },
      {
         type: "WEB",
         url: "https://github.com/python/cpython/commit/30fe5d853b56138dbec62432d370a1f99409fc85",
      },
      {
         type: "WEB",
         url: "https://github.com/python/cpython/commit/66363b9a7b9fe7c99eba3a185b74c5fdbf842eba",
      },
      {
         type: "WEB",
         url: "https://github.com/python/cpython/commit/a2c59992e9e8d35baba9695eb186ad6c6ff85c51",
      },
      {
         type: "WEB",
         url: "https://github.com/python/cpython/commit/a956e510f6336d5ae111ba429a61c3ade30a7549",
      },
      {
         type: "WEB",
         url: "https://github.com/python/cpython/commit/d05bac0b74153beb541b88b4fca33bf053990183",
      },
      {
         type: "WEB",
         url: "https://github.com/python/cpython/commit/fa181fcf2156f703347b03a3b1966ce47be8ab3b",
      },
      {
         type: "WEB",
         url: "https://lists.debian.org/debian-lts-announce/2024/03/msg00024.html",
      },
      {
         type: "WEB",
         url: "https://lists.debian.org/debian-lts-announce/2024/03/msg00025.html",
      },
      {
         type: "WEB",
         url: "https://mail.python.org/archives/list/security-announce@python.org/thread/XELNUX2L3IOHBTFU7RQHCY6OUVEWZ2FG",
      },
      {
         type: "WEB",
         url: "https://www.bamsoftware.com/hacks/zipbomb",
      },
   ],
   schema_version: "1.4.0",
   severity: [
      {
         score: "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
         type: "CVSS_V3",
      },
   ],
}


Log in or create an account to share your comment.

Security Advisory comment format.

This schema specifies the format of a comment related to a security advisory.

UUIDv4 of the comment
UUIDv4 of the Vulnerability-Lookup instance
When the comment was created originally
When the comment was last updated
Title of the comment
Description of the comment
The identifier of the vulnerability (CVE ID, GHSA-ID, PYSEC ID, etc.).



Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.