CVE-2024-8088 — Infinite Loop in Software Foundation Cpython

CWE-835 — Infinite Loop10 documents9 sources

Severity

8.7HIGHNVD

EPSS

0.2%

top 54.07%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Python Software Foundation Cpython

Timeline

PublishedAug 22

Latest updateSep 16

Description

There is a HIGH severity vulnerability affecting the CPython "zipfile" module affecting "zipfile.Path". Note that the more common API "zipfile.ZipFile" class is unaffected. When iterating over names of entries in a zip archive (for example, methods of "zipfile.Path" like "namelist()", "iterdir()", etc) the process can be put into an infinite loop with a maliciously crafted zip archive. This defect applies when reading only metadata or extracting the contents of the zip archive. Programs that a…

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/S:N

Affected Packages1 packages

▶CVEListV5python_software_foundation/cpython3.9.0 — 3.9.20+5

🔴Vulnerability Details

GHSA

GHSA-q98g-hxg3-268c: There is a HIGH severity vulnerability affecting the CPython "zipfile" module↗2024-08-22

▶

CVEList

Infinite loop when iterating over zip archive entry names from zipfile.Path↗2024-08-22

▶

OSV

CVE-2024-8088: There is a HIGH severity vulnerability affecting the CPython "zipfile" module affecting "zipfile↗2024-08-22

▶

OSV

CVE-2024-8088: There is a HIGH severity vulnerability affecting the CPython "zipfile" module affecting "zipfile↗2024-08-22

▶

📋Vendor Advisories

Ubuntu

Python vulnerabilities↗2024-09-16

▶

Red Hat

python: cpython: Iterating over a malicious ZIP file may lead to Denial of Service↗2024-08-22

▶

Microsoft

Infinite loop when iterating over zip archive entry names from zipfile.Path↗2024-08-13

▶

Debian

CVE-2024-8088: pypy3 - There is a HIGH severity vulnerability affecting the CPython "zipfile" module af...↗2024

▶