Quadratic complexity parsing cookies with backslashes
CVE-2024-7592

7.5HIGH

Key Information:

Vendor
Python Software Foundation
Status
Cpython
Vendor
CVE Published:
19 August 2024

Summary

A performance issue exists in the 'http.cookies' standard library module of CPython that impacts the way cookies are parsed. Specifically, the vulnerability arises when dealing with cookie values that include backslashes for quoted characters. This issue leads to the parser utilizing an algorithm with quadratic complexity, which significantly increases CPU resource consumption during parsing operations. As a result, system performance may degrade under certain conditions, making it important for developers and system administrators to identify affected implementations and apply the necessary patches.

Affected Version(s)

CPython 0 < 3.8.20

CPython 3.9.0 < 3.9.20

CPython 3.10.0 < 3.10.15

References

https://github.com/python/cpython/pull/123075
patch
https://github.com/python/cpython/issues/123067
issue-tracking
https://mail.python.org/archives/list/security-announce@p...
vendor-advisory

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

.