Excessive Backtracking in Tarfile Header Parsing Could Lead to ReDoS Vulnerability
CVE-2024-6232

7.5HIGH

Key Information:

Vendor

Python Software Foundation

Status
Cpython
Vendor
CVE Published:
3 September 2024

What is CVE-2024-6232?

A vulnerability has been identified in CPython's tarfile module that permits ReDoS (Regular Expression Denial of Service) attacks. This vulnerability arises from excessive backtracking within the regular expressions used for parsing TarFile headers. Specifically crafted tar archives can exploit this weakness, potentially allowing an attacker to cause denial of service by consuming excessive computational resources. Users of affected versions are advised to apply available patches to mitigate this issue.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

CPython 0 < 3.8.20

CPython 3.9.0 < 3.9.20

CPython 3.10.0 < 3.10.15

References

https://github.com/python/cpython/pull/121286
patch
https://github.com/python/cpython/issues/121285
issue-tracking
https://mail.python.org/archives/list/security-announce@p...
vendor-advisory

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Elias Joakim Myllymäki
Seth Larson
Seth Larson
Gregory P. Smith
JSON
.