Lucene search

Alpine Linux Development TeamALPINE:CVE-2021-40839

HistorySep 10, 2021 - 2:15 a.m.

CVE-2021-40839

2021-09-1002:15:07

Alpine Linux Development Team

security.alpinelinux.org

rencode package

python

remote attack

infinite loop

cpu

memory

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

AI Score

7.5

Confidence

High

EPSS

0.004

Percentile

74.7%

JSON

The rencode package through 1.0.6 for Python allows an infinite loop in typecode decoding (such as via ;\x2f\x7f), enabling a remote attack that consumes CPU and memory.

OSVersionArchitecturePackageVersionFilename
Alpineedge-communitynoarchpy3-rencode< 1.0.6-r7UNKNOWN
Alpine3.17-communitynoarchpy3-rencode< 1.0.6-r7UNKNOWN
Alpine3.18-communitynoarchpy3-rencode< 1.0.6-r7UNKNOWN
Alpine3.19-communitynoarchpy3-rencode< 1.0.6-r7UNKNOWN
Alpine3.20-communitynoarchpy3-rencode< 1.0.6-r7UNKNOWN

OS	Version	Architecture	Package	Version	Filename
Alpine	edge-community	noarch	py3-rencode	< 1.0.6-r7	UNKNOWN
Alpine	3.17-community	noarch	py3-rencode	< 1.0.6-r7	UNKNOWN
Alpine	3.18-community	noarch	py3-rencode	< 1.0.6-r7	UNKNOWN
Alpine	3.19-community	noarch	py3-rencode	< 1.0.6-r7	UNKNOWN
Alpine	3.20-community	noarch	py3-rencode	< 1.0.6-r7	UNKNOWN