CVE-2024-7592 — Uncontrolled Resource Consumption in Software Foundation Cpython

CWE-400 — Uncontrolled Resource Consumption CWE-1333 — Regex Denial of Service CWE-770 — Allocation of Resources Without Limits or Throttling12 documents10 sources

Severity

7.5HIGHNVD

EPSS

1.0%

top 22.77%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Python Software Foundation Cpython Python

Timeline

PublishedAug 19

Latest updateJan 15

Description

There is a LOW severity vulnerability affecting CPython, specifically the 'http.cookies' standard library module. When parsing cookies that contained backslashes for quoted characters in the cookie value, the parser would use an algorithm with quadratic complexity, resulting in excess CPU resources being used while parsing the value.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

▶CVEListV5python_software_foundation/cpython3.9.0 — 3.9.20+5

▶NVDpython/python3.9.0 — 3.9.20+5

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

Tornado has an HTTP cookie parsing DoS vulnerability↗2024-11-22

▶

OSV

CVE-2024-7592: There is a LOW severity vulnerability affecting CPython, specifically the 'http↗2024-08-19

▶

GHSA

GHSA-7pwv-g7hj-39pr: There is a LOW severity vulnerability affecting CPython, specifically the 'http↗2024-08-19

▶

OSV

CVE-2024-7592: There is a LOW severity vulnerability affecting CPython, specifically the 'http↗2024-08-19

▶

CVEList

Quadratic complexity parsing cookies with backslashes↗2024-08-19

▶

📋Vendor Advisories

Oracle

Oracle Oracle Communications Applications Risk Matrix: Core (Python) — CVE-2024-7592↗2025-01-15

▶

Ubuntu

Python vulnerabilities↗2024-09-19

▶

Ubuntu

Python vulnerabilities↗2024-09-16

▶

Red Hat

cpython: python: Uncontrolled CPU resource consumption when in http.cookies module↗2024-08-19

▶

Microsoft

Quadratic complexity parsing cookies with backslashes↗2024-08-13

▶