CVE-2022-45061Inefficient Algorithmic Complexity in Python

CWE-407Inefficient Algorithmic ComplexityCWE-400Uncontrolled Resource Consumption20 documents9 sources
Severity
7.5HIGHNVD
OSV9.8OSV7.6
EPSS
0.1%
top 68.48%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
9
Debian Pypy3Debian Python2.7Debian Python3.11+6 more
Timeline
PublishedNov 9
Latest updateJan 16

Description

An issue was discovered in Python before 3.11.1. An unnecessary quadratic algorithm exists in one path when processing some inputs to the IDNA (RFC 3490) decoder, such that a crafted, unreasonably long name being presented to the decoder could lead to a CPU denial of service. Hostnames are often supplied by remote servers that could be controlled by a malicious actor; in such a scenario, they could trigger excessive CPU consumption on the client attempting to make use of an attacker-supplied sup

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages8 packages

debiandebian/python2.7< pypy3 7.3.11+dfsg-1 (bookworm)
debiandebian/python3.9< pypy3 7.3.11+dfsg-1 (bookworm)
debiandebian/python3.11< pypy3 7.3.11+dfsg-1 (bookworm)
NVDpython/python3.8.03.8.15+4

Also affects: Fedora 35, 36, 37

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

7
OSV
python2.7 vulnerabilities2025-01-16
OSV
python3.5, python3.6, python3.7, python3.8, python3.9, python3.10, python3.11, python3.12 vulnerabilities2024-07-11
OSV
python3.9 vulnerabilities2023-02-27
OSV
python2.7, python3.10, python3.6, python3.8 vulnerabilities2022-12-08
OSV
python2.7, python3.5 vulnerability2022-12-08

📋Vendor Advisories

12
Ubuntu
Python 2.7 vulnerabilities2025-01-16
Ubuntu
Python vulnerabilities2024-07-11
CISA ICS
Siemens SCALANCE XCM-/XRM-3002024-02-15
Oracle
Oracle Oracle Communications Risk Matrix: Configuration (Python) — CVE-2022-450612023-10-15
Oracle
Oracle Oracle Communications Risk Matrix: Install/Upgrade (Python) — CVE-2022-450612023-07-15