CVE Vulnerabilities

CVE-2024-0450

Asymmetric Resource Consumption (Amplification)

Published: Mar 19, 2024 | Modified: Jun 10, 2024
CVSS 3.x
N/A
Source:
NVD
CVSS 2.x
RedHat/V2
RedHat/V3
6.2 MODERATE
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Ubuntu
MEDIUM

An issue was found in the CPython zipfile module affecting versions 3.12.1, 3.11.7, 3.10.13, 3.9.18, and 3.8.18 and prior.

The zipfile module is vulnerable to “quoted-overlap” zip-bombs which exploit the zip format to create a zip-bomb with a high compression ratio. The fixed versions of CPython makes the zipfile module reject zip archives which overlap entries in the archive.

Weakness

The product does not properly control situations in which an adversary can cause the product to consume or produce excessive resources without requiring the adversary to invest equivalent work or otherwise prove authorization, i.e., the adversary’s influence is “asymmetric.”

Affected Software

Name Vendor Start Version End Version
Red Hat Enterprise Linux 8 RedHat python3-0:3.6.8-62.el8_10 *
Red Hat Enterprise Linux 8 RedHat python39:3.9-8100020240516111311.d47b87a4 *
Red Hat Enterprise Linux 8 RedHat python39-devel:3.9-8100020240516111311.d47b87a4 *
Red Hat Enterprise Linux 8 RedHat python3.11-0:3.11.9-1.el8_10 *
Red Hat Enterprise Linux 8 RedHat python3.12-0:3.12.3-2.el8_10 *
Red Hat Enterprise Linux 8 RedHat python3-0:3.6.8-62.el8_10 *
Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support RedHat python3-0:3.6.8-47.el8_6.6 *
Red Hat Enterprise Linux 8.6 Telecommunications Update Service RedHat python3-0:3.6.8-47.el8_6.6 *
Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions RedHat python3-0:3.6.8-47.el8_6.6 *
Red Hat Enterprise Linux 8.8 Extended Update Support RedHat python3-0:3.6.8-51.el8_8.6 *
Red Hat Enterprise Linux 9 RedHat python3.9-0:3.9.18-3.el9_4.1 *
Red Hat Enterprise Linux 9 RedHat python3.12-0:3.12.5-2.el9 *
Red Hat Enterprise Linux 9 RedHat python3.11-0:3.11.9-7.el9 *
Red Hat Enterprise Linux 9 RedHat python3.9-0:3.9.18-3.el9_4.1 *
Service Interconnect 1.4 for RHEL 9 RedHat service-interconnect/skupper-router-rhel9:2.4.3-5 *
Service Interconnect 1 for RHEL 9 RedHat service-interconnect/skupper-router-rhel9:2.5.3-2 *
Python2.7 Ubuntu trusty/esm *
Python3.10 Ubuntu jammy *
Python3.10 Ubuntu upstream *
Python3.11 Ubuntu mantic *
Python3.12 Ubuntu mantic *
Python3.12 Ubuntu upstream *
Python3.4 Ubuntu trusty/esm *
Python3.5 Ubuntu esm-infra/xenial *
Python3.5 Ubuntu trusty/esm *
Python3.6 Ubuntu esm-infra/bionic *
Python3.7 Ubuntu esm-apps/bionic *
Python3.8 Ubuntu esm-apps/bionic *
Python3.8 Ubuntu focal *
Python3.8 Ubuntu upstream *
Python3.9 Ubuntu esm-apps/focal *
Python3.9 Ubuntu upstream *

Potential Mitigations

References