CVE-2024-0450Asymmetric Resource Consumption (Amplification) in Software Foundation Cpython

CWE-405Asymmetric Resource Consumption (Amplification)CWE-450Multiple Interpretations of UI Input14 documents9 sources
Severity
6.2MEDIUMNVD
EPSS
0.1%
top 64.61%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Python Software Foundation Cpython
Timeline
PublishedMar 19
Latest updateJan 16

Description

An issue was found in the CPython `zipfile` module affecting versions 3.12.1, 3.11.7, 3.10.13, 3.9.18, and 3.8.18 and prior. The zipfile module is vulnerable to “quoted-overlap” zip-bombs which exploit the zip format to create a zip-bomb with a high compression ratio. The fixed versions of CPython makes the zipfile module reject zip archives which overlap entries in the archive.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 2.5 | Impact: 3.6

Affected Packages1 packages

CVEListV5python_software_foundation/cpython3.9.03.9.19+5

🔴Vulnerability Details

5
OSV
python2.7 vulnerabilities2025-01-16
GHSA
GHSA-jm46-725r-hh9v: An issue was found in the CPython `zipfile` module affecting versions 32024-03-19
CVEList
Quoted zip-bomb protection for zipfile2024-03-19
OSV
CVE-2024-0450: An issue was found in the CPython `zipfile` module affecting versions 32024-03-19
OSV
CVE-2024-0450: An issue was found in the CPython `zipfile` module affecting versions 32024-03-19

📋Vendor Advisories

8
Ubuntu
Python 2.7 vulnerabilities2025-01-16
Oracle
Oracle Oracle Communications Risk Matrix: Automated Test Suite (Python) — CVE-2024-04502025-01-15
Oracle
Oracle Oracle Communications Risk Matrix: Configuration (Python) — CVE-2024-04502024-10-15
Oracle
Oracle Oracle Communications Risk Matrix: Automated Test Suite Framework (Python) — CVE-2024-04502024-07-15
Ubuntu
Python vulnerabilities2024-07-11
CVE-2024-0450 — MEDIUM severity | cvebase