Home > Vulnerability Database > CVE-2024-0450

Mend.io Vulnerability Database

CVE-2024-0450

Good to know:

Date: March 19, 2024

An issue was found in the CPython `zipfile` module affecting versions 3.12.1, 3.11.7, 3.10.13, 3.9.18, and 3.8.18 and prior. The zipfile module is vulnerable to “quoted-overlap” zip-bombs which exploit the zip format to create a zip-bomb with a high compression ratio. The fixed versions of CPython makes the zipfile module reject zip archives which overlap entries in the archive.

Language: C

Severity Score

6.2

Related Resources (16)

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-0450

Url: https://github.com/python/cpython/commit/d05bac0b74153beb541b88b4fca33bf053990183

Url: https://lists.debian.org/debian-lts-announce/2024/03/msg00025.html

Url: https://github.com/python/cpython/commit/70497218351ba44bffc8b571201ecb5652d84675

Url: https://github.com/python/cpython/commit/a956e510f6336d5ae111ba429a61c3ade30a7549

Url: https://github.com/python/cpython/issues/109858

Url: https://mail.python.org/archives/list/security-announce@python.org/thread/XELNUX2L3IOHBTFU7RQHCY6OUVEWZ2FG/

Url: https://lists.debian.org/debian-lts-announce/2024/03/msg00024.html

Url: https://github.com/python/cpython/commit/66363b9a7b9fe7c99eba3a185b74c5fdbf842eba

Url: https://github.com/python/cpython/commit/a2c59992e9e8d35baba9695eb186ad6c6ff85c51

Url: https://security-tracker.debian.org/tracker/CVE-2024-0450

Url: https://www.bamsoftware.com/hacks/zipbomb/

Url: https://github.com/python/cpython/commit/fa181fcf2156f703347b03a3b1966ce47be8ab3b

Url: https://github.com/python/cpython/commit/30fe5d853b56138dbec62432d370a1f99409fc85

Url: http://www.openwall.com/lists/oss-security/2024/03/20/5

Url: https://www.mend.io/vulnerability-database/CVE-2024-0450

Severity Score

6.2

Weakness Type (CWE)

Asymmetric Resource Consumption (Amplification)

CWE-405

Top Fix

Upgrade Version

Upgrade to version v3.8.19,v3.9.19

Learn More

CVSS v3.1

Base Score:	6.2
Attack Vector (AV):	LOCAL
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	NONE
Integrity (I):	NONE
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2024-0450

Good to know:

Date: March 19, 2024

Language: C

Severity Score

Related Resources (16)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?