Infinite Loop Vulnerability in CPython's 'zipfile' Module
CVE-2024-8088

7.5HIGH

Key Information:

Vendor: Python Software Foundation
Status: Cpython
Vendor: CVE Published:; 22 August 2024

🔔 Create Python Software Foundation Vulnerability Alert

What is CVE-2024-8088?

The CPython zipfile module has a vulnerability affecting the zipfile.Path functions, such as namelist() and iterdir(). This flaw can result in an infinite loop when processing specially crafted zip archives, specifically during metadata reading or content extraction. Programs that do not process user-controlled zip archives remain unaffected. Developers need to be cautious when handling zip files from untrusted sources.

Affected Version(s)

CPython 0 < 3.8.20

CPython 3.9.0 < 3.9.20

CPython 3.10.0 < 3.10.15

References

https://mail.python.org/archives/list/security-announce@p...

vendor-advisory

https://github.com/python/cpython/pull/122906

patch

https://github.com/python/cpython/issues/122905

issue-tracking

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 22, 2024
Vulnerability Reserved
Aug 22, 2024

Credit

Jason R. Coombs

Seth Larson