Infinite Loop Vulnerability in CPython's 'zipfile' Module
CVE-2024-8088

7.5HIGH

Key Information:

Vendor
Python Software Foundation
Status
Cpython
Vendor
CVE Published:
22 August 2024

Summary

The CPython zipfile module has a vulnerability affecting the zipfile.Path functions, such as namelist() and iterdir(). This flaw can result in an infinite loop when processing specially crafted zip archives, specifically during metadata reading or content extraction. Programs that do not process user-controlled zip archives remain unaffected. Developers need to be cautious when handling zip files from untrusted sources.

Affected Version(s)

CPython 0 < 3.8.20

CPython 3.9.0 < 3.9.20

CPython 3.10.0 < 3.10.15

References

https://mail.python.org/archives/list/security-announce@p...
vendor-advisory
https://github.com/python/cpython/pull/122906
patch
https://github.com/python/cpython/issues/122905
issue-tracking

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Jason R. Coombs
Seth Larson
.
CVE-2024-8088 : Infinite Loop Vulnerability in CPython's 'zipfile' Module | SecurityVulnerability.io