NVD

CVE-2024-8088 Detail

Awaiting Analysis

This vulnerability is currently awaiting analysis.

Description

There is a HIGH severity vulnerability affecting the CPython "zipfile" module affecting "zipfile.Path". Note that the more common API "zipfile.ZipFile" class is unaffected. When iterating over names of entries in a zip archive (for example, methods of "zipfile.Path" like "namelist()", "iterdir()", etc) the process can be put into an infinite loop with a maliciously crafted zip archive. This defect applies when reading only metadata or extracting the contents of the zip archive. Programs that are not handling user-controlled zip archives are not affected.

Metrics

NVD enrichment efforts reference publicly available information to associate vector strings. CVSS information contributed by other sources is also displayed.

CVSS 4.0 Severity and Vector Strings:

NIST: NVD

N/A

NVD assessment not yet provided.

Nist CVSS score does not match with CNA score

CNA: Python Software Foundation

CVSS-B 8.7 HIGH

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/S:N/AU:N/R:U/RE:L

CVSS 3.x Severity and Vector Strings:

NIST: NVD

Base Score: N/A

NVD assessment not yet provided.

CVSS 2.0 Severity and Vector Strings:

National Institute of Standards and Technology

NIST: NVD

Base Score: N/A

NVD assessment not yet provided.

References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to nvd@nist.gov.

Hyperlink	Resource
https://github.com/python/cpython/commit/0aa1ee22ab6e204e9d3d0e9dd63ea648ed691ef1
https://github.com/python/cpython/commit/2231286d78d328c2f575e0b05b16fe447d1656d6
https://github.com/python/cpython/commit/795f2597a4be988e2bb19b69ff9958e981cb894e
https://github.com/python/cpython/commit/7bc367e464ce50b956dd232c1dfa1cad4e7fb814
https://github.com/python/cpython/commit/7e8883a3f04d308302361aeffc73e0e9837f19d4
https://github.com/python/cpython/commit/8c7348939d8a3ecd79d630075f6be1b0c5b41f64
https://github.com/python/cpython/commit/95b073bddefa6243effa08e131e297c0383e7f6a
https://github.com/python/cpython/commit/962055268ed4f2ca1d717bfc8b6385de50a23ab7
https://github.com/python/cpython/commit/dcc5182f27c1500006a1ef78e10613bb45788dea
https://github.com/python/cpython/commit/e0264a61119d551658d9445af38323ba94fc16db
https://github.com/python/cpython/commit/fc0b8259e693caa8400fa8b6ac1e494e47ea7798
https://github.com/python/cpython/issues/122905
https://github.com/python/cpython/issues/123270
https://github.com/python/cpython/pull/122906
https://mail.python.org/archives/list/security-announce@python.org/thread/GNFCKVI4TCATKQLALJ5SN4L4CSPSMILU/

Weakness Enumeration

CWE-ID	CWE Name	Source
CWE-835	Loop with Unreachable Exit Condition ('Infinite Loop')	Python Software Foundation

Change History

7 change records found show changes

New CVE Received by NIST 8/22/2024 3:15:09 PM

Action	Type	New Value
Added	CVSS V3.1	Python Software Foundation AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Added	CVSS V4.0	Python Software Foundation CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:N/R:U/V:X/RE:L/U:X
Added	CWE	Python Software Foundation CWE-835
Added	Description	There is a HIGH severity vulnerability affecting the CPython "zipfile" module. When iterating over names of entries in a zip archive (for example, methods of "zipfile.ZipFile" like "namelist()", "iterdir()", "extractall()", etc) the process can be put into an infinite loop with a maliciously crafted zip archive. This defect applies when reading only metadata or extracting the contents of the zip archive. Programs that are not handling user-controlled zip archives are not affected.
Added	Reference	Python Software Foundation https://github.com/python/cpython/commit/795f2597a4be988e2bb19b69ff9958e981cb894e [No types assigned]
Added	Reference	Python Software Foundation https://github.com/python/cpython/commit/8c7348939d8a3ecd79d630075f6be1b0c5b41f64 [No types assigned]
Added	Reference	Python Software Foundation https://github.com/python/cpython/commit/dcc5182f27c1500006a1ef78e10613bb45788dea [No types assigned]
Added	Reference	Python Software Foundation https://github.com/python/cpython/issues/122905 [No types assigned]
Added	Reference	Python Software Foundation https://github.com/python/cpython/pull/122906 [No types assigned]
Added	Reference	Python Software Foundation https://mail.python.org/archives/list/security-announce@python.org/thread/GNFCKVI4TCATKQLALJ5SN4L4CSPSMILU/ [No types assigned]

Quick Info

CVE Dictionary Entry:
CVE-2024-8088
NVD Published Date:
08/22/2024
NVD Last Modified:
09/04/2024
Source:
Python Software Foundation

You are viewing this page in an unauthorized frame window.

Information Technology Laboratory

National Vulnerability Database

National Vulnerability Database

CVE-2024-8088 Detail

Description

Metrics

References to Advisories, Solutions, and Tools

Weakness Enumeration

Change History

CVE Modified by Python Software Foundation 9/04/2024 7:15:13 PM

CVE Modified by Python Software Foundation 9/04/2024 5:15:14 PM

CVE Modified by Python Software Foundation 9/03/2024 12:15:07 PM

CVE Modified by Python Software Foundation 8/28/2024 10:15:08 AM

CVE Modified by Python Software Foundation 8/26/2024 3:15:08 PM

CVE Modified by Python Software Foundation 8/23/2024 2:15:08 PM

New CVE Received by NIST 8/22/2024 3:15:09 PM

Quick Info