Infinite Loop Vulnerability in CPython's 'zipfile' Module
CVE-2024-8088

8.7HIGH

Key Information:

Vendor

Python Software Foundation

Status
Cpython
Vendor
CVE Published:
22 August 2024

What is CVE-2024-8088?

The CPython zipfile module has a vulnerability affecting the zipfile.Path functions, such as namelist() and iterdir(). This flaw can result in an infinite loop when processing specially crafted zip archives, specifically during metadata reading or content extraction. Programs that do not process user-controlled zip archives remain unaffected. Developers need to be cautious when handling zip files from untrusted sources.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

CPython 0 < 3.8.20

CPython 3.9.0 < 3.9.20

CPython 3.10.0 < 3.10.15

References

https://mail.python.org/archives/list/security-announce@p...
vendor-advisory
https://github.com/python/cpython/pull/122906
patch
https://github.com/python/cpython/issues/122905
issue-tracking

CVSS V4

Score:
8.7
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Jason R. Coombs
Seth Larson
JSON
.