CVE-2022-45061

An issue was discovered in Python before 3.11.1. An unnecessary quadratic algorithm exists in one path when processing some inputs to the IDNA (RFC 3490) decoder, such that a crafted, unreasonably long name being presented to the decoder could lead to a CPU denial of service. Hostnames are often supplied by remote servers that could be controlled by a malicious actor; in such a scenario, they could trigger excessive CPU consumption on the client attempting to make use of an attacker-supplied supposed hostname. For example, the attack payload could be placed in the Location header of an HTTP response with status code 302. A fix is planned in 3.11.1, 3.10.9, 3.9.16, 3.8.16, and 3.7.16.

Weakness

An algorithm in a product has an inefficient worst-case computational complexity that may be detrimental to system performance and can be triggered by an attacker, typically using crafted manipulations that ensure that the worst case is being reached.

Affected Software

Name	Vendor	Start Version	End Version
Python	Python	*	3.7.15 (including)
Python	Python	3.8.0 (including)	3.8.15 (including)
Python	Python	3.9.0 (including)	3.9.15 (including)
Python	Python	3.10.0 (including)	3.10.8 (including)
Python	Python	3.11.0 (including)	3.11.0 (including)
Python	Python	3.11.0-alpha1 (including)	3.11.0-alpha1 (including)
Python	Python	3.11.0-alpha2 (including)	3.11.0-alpha2 (including)
Python	Python	3.11.0-alpha3 (including)	3.11.0-alpha3 (including)
Python	Python	3.11.0-alpha4 (including)	3.11.0-alpha4 (including)
Python	Python	3.11.0-alpha5 (including)	3.11.0-alpha5 (including)
Python	Python	3.11.0-alpha6 (including)	3.11.0-alpha6 (including)
Python	Python	3.11.0-alpha7 (including)	3.11.0-alpha7 (including)
Python	Python	3.11.0-beta1 (including)	3.11.0-beta1 (including)
Python	Python	3.11.0-beta2 (including)	3.11.0-beta2 (including)
Python	Python	3.11.0-beta3 (including)	3.11.0-beta3 (including)
Python	Python	3.11.0-beta4 (including)	3.11.0-beta4 (including)
Python	Python	3.11.0-beta5 (including)	3.11.0-beta5 (including)
Python	Python	3.11.0-rc1 (including)	3.11.0-rc1 (including)
Python	Python	3.11.0-rc2 (including)	3.11.0-rc2 (including)
Red Hat Enterprise Linux 8	RedHat	python3-0:3.6.8-48.el8_7.1	*
Red Hat Enterprise Linux 8	RedHat	python38:3.8-8080020221221151857.0d9ba776	*
Red Hat Enterprise Linux 8	RedHat	python38-devel:3.8-8080020221221151857.0d9ba776	*
Red Hat Enterprise Linux 8	RedHat	python39:3.9-8080020221221152015.aed85c85	*
Red Hat Enterprise Linux 8	RedHat	python39-devel:3.9-8080020221221152015.aed85c85	*
Red Hat Enterprise Linux 8	RedHat	python27:2.7-8080020221221225124.ba5e661a	*
Red Hat Enterprise Linux 8	RedHat	python3-0:3.6.8-48.el8_7.1	*
Red Hat Enterprise Linux 8.6 Extended Update Support	RedHat	python3-0:3.6.8-47.el8_6.4	*
Red Hat Enterprise Linux 9	RedHat	python3.9-0:3.9.14-1.el9_1.2	*
Red Hat Enterprise Linux 9	RedHat	python3.9-0:3.9.14-1.el9_1.2	*
Red Hat Software Collections for Red Hat Enterprise Linux 7	RedHat	rh-python38-python-0:3.8.18-2.el7	*
Python	Ubuntu	trusty	*
Python	Ubuntu	xenial	*
Python2.7	Ubuntu	bionic	*
Python2.7	Ubuntu	esm-apps/focal	*
Python2.7	Ubuntu	esm-apps/jammy	*
Python2.7	Ubuntu	esm-infra/xenial	*
Python2.7	Ubuntu	kinetic	*
Python2.7	Ubuntu	trusty	*
Python2.7	Ubuntu	trusty/esm	*
Python2.7	Ubuntu	xenial	*
Python3.10	Ubuntu	jammy	*
Python3.10	Ubuntu	kinetic	*
Python3.11	Ubuntu	jammy	*
Python3.11	Ubuntu	kinetic	*
Python3.11	Ubuntu	upstream	*
Python3.4	Ubuntu	esm-infra-legacy/trusty	*
Python3.4	Ubuntu	trusty	*
Python3.4	Ubuntu	trusty/esm	*
Python3.5	Ubuntu	esm-infra/xenial	*
Python3.5	Ubuntu	trusty	*
Python3.5	Ubuntu	trusty/esm	*
Python3.5	Ubuntu	xenial	*
Python3.6	Ubuntu	bionic	*
Python3.7	Ubuntu	bionic	*
Python3.7	Ubuntu	esm-apps/bionic	*
Python3.8	Ubuntu	bionic	*
Python3.8	Ubuntu	esm-apps/bionic	*
Python3.8	Ubuntu	focal	*
Python3.9	Ubuntu	esm-apps/focal	*
Python3.9	Ubuntu	focal	*

NVD	https://nvd.nist.gov/vuln/detail/CVE-2022-45061
CWE	https://cwe.mitre.org/data/definitions/407.html

Inefficient Algorithmic Complexity

Weakness

Affected Software

References