Lucene search

K

GoogleOSV:BIT-PYTHON-2024-7592

HistorySep 16, 2024 - 12:03 p.m.

BIT-python-2024-7592

2024-09-1612:03:55

Google

osv.dev

4

cpython

http.cookies

low severity

excessive cpu usage

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

0.001

Percentile

44.5%

There is a LOW severity vulnerability affecting CPython, specifically the’http.cookies’ standard library module.When parsing cookies that contained backslashes for quoted characters inthe cookie value, the parser would use an algorithm with quadraticcomplexity, resulting in excess CPU resources being used while parsing thevalue.

References

github.com/python/cpython/commit/391e5626e3ee5af267b97e37abc7475732e67621

github.com/python/cpython/commit/a77ab24427a18bff817025adb03ca920dc3f1a06

github.com/python/cpython/commit/b2f11ca7667e4d57c71c1c88b255115f16042d9a

github.com/python/cpython/commit/d4ac921a4b081f7f996a5d2b101684b67ba0ed7f

github.com/python/cpython/commit/d662e2db2605515a767f88ad48096b8ac623c774

github.com/python/cpython/commit/dcc3eaef98cd94d6cb6cb0f44bd1c903d04f33b1

github.com/python/cpython/issues/123067

github.com/python/cpython/pull/123075

mail.python.org/archives/list/[email protected]/thread/HXJAAAALNUNGCQUS2W7WR6GFIZIHFOOK/

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

0.001

Percentile

44.5%

Related for OSV:BIT-PYTHON-2024-7592

osv8 redhatcve1 cvelist1 debiancve1 nessus8 cbl_mariner2 nvd1 wolfi1 vulnrichment1 alpinelinux1 cve1 openvas8 fedora7 slackware1