CVE Published: 19/03/2024 |
CVE Updated: 02/08/2024 |
CVE Year: 2024 Source: PSF |
Vendor: Python Software Foundation |
Product: CPython Status : PUBLISHED
CVE-2024-0450 Description
An issue was found in the CPython `zipfile` module affecting versions 3.12.1, 3.11.7, 3.10.13, 3.9.18, and 3.8.18 and prior.
The zipfile module is vulnerable to “quoted-overlap” zip-bombs which exploit the zip format to create a zip-bomb with a high compression ratio. The fixed versions of CPython makes the zipfile module reject zip archives which overlap entries in the archive.
Metrics
CVSS Version: 3.1 |
Base Score: 6.2 MEDIUM Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H