CVE-2019-9674 — Uncontrolled Resource Consumption in Python

CWE-400 — Uncontrolled Resource Consumption CWE-409 — Improper Handling of Highly Compressed Data (Data Amplification)18 documents9 sources

Severity

7.5HIGHNVD

OSV7.6

EPSS

1.3%

top 20.52%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Python Canonical Ubuntu Linux Debian Python2.7 +6 more

Timeline

PublishedFeb 4

Latest updateJan 16

Description

Lib/zipfile.py in Python through 3.7.2 allows remote attackers to cause a denial of service (resource consumption) via a ZIP bomb.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages8 packages

▶NVDpython/python3.2 — 3.8

▶debiandebian/python2.7

▶msrcmsrc/cm1_python2_2.7.18-5_on_cbl_mariner_1.0

▶msrcmsrc/cbl2_python2_2.7.18-8_on_cbl_mariner_2.0

▶msrcmsrc/cbl_mariner_1.0_arm

Also affects: Ubuntu Linux 12.04, 14.04, 16.04, 18.04, 20.04

🔴Vulnerability Details

OSV

python2.7 vulnerabilities↗2025-01-16

▶

OSV

python3.5, python3.6, python3.7, python3.8, python3.9, python3.10, python3.11, python3.12 vulnerabilities↗2024-07-11

▶

GHSA

Fides Webserver Vulnerable to Zip Bomb File Uploads↗2023-07-18

▶

OSV

Fides Webserver Vulnerable to Zip Bomb File Uploads↗2023-07-18

▶

GHSA

GHSA-h33x-58qw-vqrp: Lib/zipfile↗2022-05-24

▶

📋Vendor Advisories

Ubuntu

Python 2.7 vulnerabilities↗2025-01-16

▶

Ubuntu

Python vulnerabilities↗2024-07-11

▶

Ubuntu

Python vulnerabilities↗2021-03-12

▶

Ubuntu

Python vulnerabilities↗2020-07-22

▶

Microsoft

Lib/zipfile.py in Python through 3.7.2 allows remote attackers to cause a denial of service (resource consumption) via a ZIP bomb.↗2020-02-11

▶

💬Community

Bugzilla

CVE-2019-9674 python3: python: Nested zip file (Zip bomb) vulnerability in Lib/zipfile.py [fedora-all]↗2020-02-07

▶

Bugzilla

CVE-2019-9674 python: Nested zip file (Zip bomb) vulnerability in Lib/zipfile.py↗2020-02-07

▶