CVE-2024-8088

2024-08-2219:15:09

Alpine Linux Development Team

security.alpinelinux.org

cpython

zipfile

vulnerability

high severity

zip archive

infinite loop

malicious

crafted

metadata

extract

unix

CVSS4

8.7

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/SC:N/VI:N/SI:N/VA:H/SA:N/S:N/AU:N/R:U/RE:L

EPSS

0.001

Percentile

17.8%

JSON

There is a HIGH severity vulnerability affecting the CPython “zipfile”
module affecting “zipfile.Path”. Note that the more common API “zipfile.ZipFile” class is unaffected.

When iterating over names of entries in a zip archive (for example, methods
of “zipfile.Path” like “namelist()”, “iterdir()”, etc)
the process can be put into an infinite loop with a maliciously crafted
zip archive. This defect applies when reading only metadata or extracting
the contents of the zip archive. Programs that are not handling
user-controlled zip archives are not affected.

OSVersionArchitecturePackageVersionFilename
Alpineedge-mainnoarchpython3< 3.12.5-r1UNKNOWN
Alpine3.17-mainnoarchpython3< 3.10.14-r2UNKNOWN
Alpine3.18-mainnoarchpython3< 3.11.8-r1UNKNOWN
Alpine3.19-mainnoarchpython3< 3.11.9-r1UNKNOWN
Alpine3.20-mainnoarchpython3< 3.12.3-r2UNKNOWN

OS	Version	Architecture	Package	Version	Filename
Alpine	edge-main	noarch	python3	< 3.12.5-r1	UNKNOWN
Alpine	3.17-main	noarch	python3	< 3.10.14-r2	UNKNOWN
Alpine	3.18-main	noarch	python3	< 3.11.8-r1	UNKNOWN
Alpine	3.19-main	noarch	python3	< 3.11.9-r1	UNKNOWN
Alpine	3.20-main	noarch	python3	< 3.12.3-r2	UNKNOWN