SB2024032107 - Denial of service in CPython zipfile module
Published: March 21, 2024
Security Bulletin ID
SB2024032107
Severity
Medium
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Denial of service
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Resource exhaustion (CVE-ID: CVE-2024-0450)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to the zipfile module does not properly control consumption of internal resources when extracting files from a zip archive. A remote attacker can pass a specially crafted archive aka zip-bomb to the application, trigger resource exhaustion and perform a denial of service (DoS) attack.
Remediation
Install update from vendor's website.
References
- https://github.com/python/cpython/commit/66363b9a7b9fe7c99eba3a185b74c5fdbf842eba
- https://github.com/python/cpython/commit/fa181fcf2156f703347b03a3b1966ce47be8ab3b
- https://github.com/python/cpython/commit/a956e510f6336d5ae111ba429a61c3ade30a7549
- https://github.com/python/cpython/commit/30fe5d853b56138dbec62432d370a1f99409fc85
- https://github.com/python/cpython/commit/a2c59992e9e8d35baba9695eb186ad6c6ff85c51
- https://github.com/python/cpython/commit/d05bac0b74153beb541b88b4fca33bf053990183
- https://github.com/python/cpython/issues/109858
- https://www.bamsoftware.com/hacks/zipbomb/
- https://mail.python.org/archives/list/security-announce@python.org/thread/XELNUX2L3IOHBTFU7RQHCY6OUVEWZ2FG/