CVE-2013-7338 — Improper Input Validation in Python

CWE-20 — Improper Input Validation7 documents7 sources

Severity

7.1HIGHNVD

EPSS

7.8%

top 8.02%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apple MAC OS X Apple OS X Yosemite V10.10.5 AND Security Update 2015-006 Python +1 more

Timeline

PublishedApr 22

Latest updateMay 14

Description

Python before 3.3.4 RC1 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a file size value larger than the size of the zip file to the (1) ZipExtFile.read, (2) ZipExtFile.read(n), (3) ZipExtFile.readlines, (4) ZipFile.extract, or (5) ZipFile.extractall function.

CVSS vector

AV:N/AC:M/C:N/I:N/A:CExploitability: 8.6 | Impact: 6.9

Affected Packages4 packages

▶NVDpython/python4 versions+3

▶debiandebian/python2.7

▶NVDapple/mac_os_x10.10.4

▶Appleapple/os_x_yosemite_v10.10.5_and_security_update_2015-006

Patches

Patch: bugs.python.org ↗Patch: hg.python.org ↗Patch: support.apple.com ↗

🔴Vulnerability Details

GHSA

GHSA-hr8p-cf7x-v483: Python before 3↗2022-05-14

▶

OSV

CVE-2013-7338: Python before 3↗2014-04-22

▶

📋Vendor Advisories

Red Hat

python: malformed ZIP files could cause 100% CPU usage↗2013-12-27

▶

Debian

CVE-2013-7338: python2.7 - Python before 3.3.4 RC1 allows remote attackers to cause a denial of service (in...↗2013

▶

Apple

CVE-2013-7338: OS X Yosemite v10.10.5 and Security Update 2015-006↗

▶

💬Community

Bugzilla

CVE-2013-7338 python: malformed ZIP files could cause 100% CPU usage↗2014-03-19

▶