An issue was found in the CPython zipfile module affecting versions 3.12.1, 3.11.7, 3.10.13, 3.9.18, and 3.8.18 and prior.
The zipfile module is vulnerable to “quoted-overlap” zip-bombs which exploit the zip format to create a zip-bomb with a high compression ratio. The fixed versions of CPython makes the zipfile module reject zip archives which overlap entries in the archive.
Asymmetric Resource Consumption (Amplification)
-
| Package | Type | OS Name | OS Version | Affected Ranges | Fix Versions |
|---|---|---|---|---|---|
| debian/python3.11 | deb | debian | 12 | >=3.11.2-6 | Not yet available |
| debian/pypy3 | deb | debian | 10 | >=7.0.0+dfsg-3 | Not yet available |
| debian/pypy3 | deb | debian | unstable | <7.3.16+dfsg-1 | 7.3.16+dfsg-1 |
| debian/pypy3 | deb | debian | 12 | >=7.3.11+dfsg-2+deb12u1 | Not yet available |
| debian/pypy3 | deb | debian | 11 | >=7.3.5+dfsg-2+deb11u2 | Not yet available |
| debian/pypy3 | deb | debian | 13 | <7.3.16+dfsg-1 | 7.3.16+dfsg-1 |
| debian/python2.7 | deb | debian | 10 | <2.7.16-2+deb10u4 | 2.7.16-2+deb10u4 |
| debian/python2.7 | deb | debian | 11 | >=2.7.18-8+deb11u1 | Not yet available |
| debian/python3.11 | deb | debian | 13 | <3.11.8-1 | 3.11.8-1 |
| debian/python3.11 | deb | debian | unstable | <3.11.8-1 | 3.11.8-1 |
| debian/python3.12 | deb | debian | unstable | <3.12.2-1 | 3.12.2-1 |
| debian/python3.12 | deb | debian | 13 | <3.12.2-1 | 3.12.2-1 |
| debian/python3.7 | deb | debian | 10 | <3.7.3-2+deb10u7 | 3.7.3-2+deb10u7 |
| debian/python3.9 | deb | debian | 11 | >=3.9.2-1 | Not yet available |
Severity and metrics
No CVSS data available from this source.
2.5
-
-
-
-
-
-
BIT-python-2024-0450
-
CVE-2024-0450
-
CVE-2024-0450
-