CVE-2024-5569Infinite Loop in Zipp

CWE-835Infinite LoopCWE-400Uncontrolled Resource Consumption8 documents7 sources
Severity
6.2MEDIUMNVD
EPSS
0.0%
top 96.34%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
Jaraco ZippDebian Python-zippMsrc Azure Linux 3.0 ARM+1 more
Timeline
PublishedJul 9
Latest updateDec 10

Description

A Denial of Service (DoS) vulnerability exists in the jaraco/zipp library, affecting all versions prior to 3.19.1. The vulnerability is triggered when processing a specially crafted zip file that leads to an infinite loop. This issue also impacts the zipfile module of CPython, as features from the third-party zipp library are later merged into CPython, and the affected code is identical in both projects. The infinite loop can be initiated through the use of functions affecting the `Path` module

CVSS vector

CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 2.5 | Impact: 3.6

Affected Packages5 packages

CVEListV5jaraco/jaraco_zippunspecified3.19.1
PyPIjaraco/jaraco_zipp< 3.19.1
debiandebian/python-zipp< python-zipp 1.0.0-6+deb12u1 (bookworm)

🔴Vulnerability Details

3
OSV
zipp Denial of Service vulnerability2024-07-09
OSV
CVE-2024-5569: A Denial of Service (DoS) vulnerability exists in the jaraco/zipp library, affecting all versions prior to 32024-07-09
GHSA
zipp Denial of Service vulnerability2024-07-09

📋Vendor Advisories

4
Microsoft
CVE-2024-5569: NIST NVD Details: https://nvd2024-12-10
Ubuntu
python-zipp vulnerability2024-07-24
Red Hat
github.com/jaraco/zipp: Denial of Service (infinite loop) via crafted zip file in jaraco/zipp2024-07-09
Debian
CVE-2024-5569: python-zipp - A Denial of Service (DoS) vulnerability exists in the jaraco/zipp library, affec...2024
CVE-2024-5569 — Infinite Loop in Jaraco Zipp | cvebase