CPython zipfile module vulnerable to 'quoted-overlap' zip-bombs
CVE-2024-0450

6.2MEDIUM

Key Information:

Vendor
Python Software Foundation
Status
Cpython
Vendor
CVE Published:
19 March 2024

Summary

An issue was found in the CPython zipfile module affecting versions 3.12.1, 3.11.7, 3.10.13, 3.9.18, and 3.8.18 and prior.

The zipfile module is vulnerable to “quoted-overlap” zip-bombs which exploit the zip format to create a zip-bomb with a high compression ratio. The fixed versions of CPython makes the zipfile module reject zip archives which overlap entries in the archive.

Affected Version(s)

CPython 0 < 3.8.19

CPython 3.9.0 < 3.9.19

CPython 3.10.0 < 3.10.14

References

https://github.com/python/cpython/commit/66363b9a7b9fe7c9...
patch
https://github.com/python/cpython/commit/fa181fcf2156f703...
patch
https://github.com/python/cpython/commit/a956e510f6336d5a...
patch

CVSS V3.1

Score:
6.2
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.