CVE-2022-48564 — Uncontrolled Resource Consumption in Python

CWE-400 — Uncontrolled Resource Consumption11 documents6 sources

Severity

6.5MEDIUMNVD

OSV7.6

EPSS

0.1%

top 73.01%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Python Debian Pypy3 Debian Python2.7 +1 more

Timeline

PublishedAug 22

Latest updateJul 11

Description

read_ints in plistlib.py in Python through 3.9.1 is vulnerable to a potential DoS attack via CPU and RAM exhaustion when processing malformed Apple Property List files in binary format.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:HExploitability: 2.8 | Impact: 3.6

Affected Packages4 packages

▶NVDpython/python3.7.0 — 3.7.10+3

▶debiandebian/python2.7< pypy3 7.3.5+dfsg-2 (bookworm)

▶debiandebian/python3.9< pypy3 7.3.5+dfsg-2 (bookworm)

▶debiandebian/pypy3< pypy3 7.3.5+dfsg-2 (bookworm)

Patches

Patch: bugs.python.org ↗Patch: bugs.python.org ↗

🔴Vulnerability Details

OSV

python3.5, python3.6, python3.7, python3.8, python3.9, python3.10, python3.11, python3.12 vulnerabilities↗2024-07-11

▶

OSV

python3.8, python3.10, python3.11 vulnerability↗2023-11-27

▶

OSV

python2.7, python3.5, python3.6 vulnerabilities↗2023-11-23

▶

OSV

CVE-2022-48564: read_ints in plistlib↗2023-08-22

▶

GHSA

GHSA-p8vw-m6qq-w42v: read_ints in plistlib↗2023-08-22

▶

📋Vendor Advisories

Ubuntu

Python vulnerabilities↗2024-07-11

▶

Ubuntu

Python vulnerability↗2023-11-27

▶

Ubuntu

Python vulnerabilities↗2023-11-23

▶

Red Hat

python: DoS when processing malformed Apple Property List files in binary format↗2023-08-22

▶

Debian

CVE-2022-48564: pypy3 - read_ints in plistlib.py in Python through 3.9.1 is vulnerable to a potential Do...↗2022

▶