Описание
Lib/zipfile.py in Python through 3.7.2 allows remote attackers to cause a denial of service (resource consumption) via a ZIP bomb.
A ZIP bomb attack was found in the Python zipfile module. A remote attacker could abuse this flaw by providing a specially crafted ZIP file that, when decompressed by zipfile, would exhaust system resources resulting in a denial of service.
Отчет
There is no plan to fix this flaw. Programs using the Python zipfile module should be responsible for validating external untrusted ZIP files. For further details, please refer to the following URLs: [1] https://docs.python.org/dev/library/zipfile.html#decompression-pitfalls [2] https://python-security.readthedocs.io/security.html#archives-and-zip-bomb
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 5 | python | Will not fix | ||
| Red Hat Enterprise Linux 6 | python | Will not fix | ||
| Red Hat Enterprise Linux 7 | python | Will not fix | ||
| Red Hat Enterprise Linux 7 | python3 | Will not fix | ||
| Red Hat Enterprise Linux 8 | python27:2.7/python2 | Will not fix | ||
| Red Hat Enterprise Linux 8 | python3 | Will not fix | ||
| Red Hat Enterprise Linux 8 | python36:3.6/python36 | Will not fix | ||
| Red Hat Software Collections | python27-python | Will not fix | ||
| Red Hat Software Collections | rh-python36-python | Will not fix |
Показывать по
Дополнительная информация
Статус:
4.2 Medium
CVSS3
Связанные уязвимости
Lib/zipfile.py in Python through 3.7.2 allows remote attackers to cause a denial of service (resource consumption) via a ZIP bomb.
Lib/zipfile.py in Python through 3.7.2 allows remote attackers to cause a denial of service (resource consumption) via a ZIP bomb.
Lib/zipfile.py in Python through 3.7.2 allows remote attackers to caus ...
Lib/zipfile.py in Python through 3.7.2 allows remote attackers to cause a denial of service (resource consumption) via a ZIP bomb.
4.2 Medium
CVSS3