Описание
urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.24 and prior to 2.6.0, the number of links in the decompression chain was unbounded allowing a malicious server to insert a virtually unlimited number of compression steps leading to high CPU usage and massive memory allocation for the decompressed data. This vulnerability is fixed in 2.6.0.
A flaw was found in urllib3 Python library that could lead to a Denial of Service condition. A remote, malicious server can exploit this flaw by responding to a client request with an HTTP message that uses an excessive number of chained compression algorithms. This unlimited decompression chain causes the client system to consume a virtually unbounded amount of CPU resources and memory. The high resource usage leads to service disruption, making the application unresponsive.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Assisted Installer for Red Hat OpenShift Container Platform 2 | assisted/agent-preinstall-image-builder-rhel9 | Not affected | ||
| Assisted Installer for Red Hat OpenShift Container Platform 2 | rhai/assisted-installer-agent-rhel9 | Will not fix | ||
| Assisted Installer for Red Hat OpenShift Container Platform 2 | rhai/assisted-installer-controller-rhel9 | Will not fix | ||
| Assisted Installer for Red Hat OpenShift Container Platform 2 | rhai/assisted-installer-rhel9 | Not affected | ||
| cert-manager Operator for Red Hat OpenShift | cert-manager/cert-manager-istio-csr-rhel9 | Affected | ||
| Confidential Compute Attestation | build-of-trustee/trustee-rhel9 | Affected | ||
| Confidential Compute Attestation | confidential-compute-attestation-tech-preview/trustee-rhel9 | Affected | ||
| Confidential Compute Attestation | openshift-sandboxed-containers/osc-cloud-api-adaptor-rhel9 | Affected | ||
| Confidential Compute Attestation | openshift-sandboxed-containers/osc-monitor-rhel9 | Affected | ||
| Confidential Compute Attestation | openshift-sandboxed-containers/osc-podvm-builder-rhel9 | Affected |
Показывать по
Дополнительная информация
Статус:
EPSS
7.5 High
CVSS3
Связанные уязвимости
urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.24 and prior to 2.6.0, the number of links in the decompression chain was unbounded allowing a malicious server to insert a virtually unlimited number of compression steps leading to high CPU usage and massive memory allocation for the decompressed data. This vulnerability is fixed in 2.6.0.
urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.24 and prior to 2.6.0, the number of links in the decompression chain was unbounded allowing a malicious server to insert a virtually unlimited number of compression steps leading to high CPU usage and massive memory allocation for the decompressed data. This vulnerability is fixed in 2.6.0.
urllib3 allows an unbounded number of links in the decompression chain
urllib3 is a user-friendly HTTP client library for Python. Starting in ...
urllib3 allows an unbounded number of links in the decompression chain
EPSS
7.5 High
CVSS3