CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
AI Score
Confidence
Low
A Denial of Service (DoS) vulnerability exists in the jaraco/zipp library,
affecting all versions prior to 3.19.1. The vulnerability is triggered when
processing a specially crafted zip file that leads to an infinite loop.
This issue also impacts the zipfile module of CPython, as features from the
third-party zipp library are later merged into CPython, and the affected
code is identical in both projects. The infinite loop can be initiated
through the use of functions affecting the Path
module in both zipp and
zipfile, such as joinpath
, the overloaded division operator, and
iterdir
. Although the infinite loop is not resource exhaustive, it
prevents the application from responding. The vulnerability was addressed
in version 3.19.1 of jaraco/zipp.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 20.04 | noarch | python-zipp | < 1.0.0-1ubuntu0.1 | UNKNOWN |
ubuntu | 22.04 | noarch | python-zipp | < 1.0.0-3ubuntu0.1 | UNKNOWN |
ubuntu | 24.04 | noarch | python-zipp | < 1.0.0-6ubuntu0.1 | UNKNOWN |