Vulnerability Details : CVE-2013-7338
Python before 3.3.4 RC1 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a file size value larger than the size of the zip file to the (1) ZipExtFile.read, (2) ZipExtFile.read(n), (3) ZipExtFile.readlines, (4) ZipFile.extract, or (5) ZipFile.extractall function.
Vulnerability category: Input validationDenial of service
Products affected by CVE-2013-7338
- cpe:2.3:o:apple:mac_os_x:*:*:*:*:*:*:*:*
- cpe:2.3:a:python:python:3.3.2:*:*:*:*:*:*:*
- cpe:2.3:a:python:python:3.3.3:*:*:*:*:*:*:*
- cpe:2.3:a:python:python:3.3.3:rc1:*:*:*:*:*:*
- cpe:2.3:a:python:python:3.3.3:rc2:*:*:*:*:*:*
- cpe:2.3:a:python:python:3.3.1:rc1:*:*:*:*:*:*
- cpe:2.3:a:python:python:3.3.0:-:*:*:*:*:*:*
- cpe:2.3:a:python:python:3.3.0:alpha1:*:*:*:*:*:*
- cpe:2.3:a:python:python:3.3.0:alpha2:*:*:*:*:*:*
- cpe:2.3:a:python:python:3.3.0:alpha3:*:*:*:*:*:*
- cpe:2.3:a:python:python:3.3.0:rc2:*:*:*:*:*:*
- cpe:2.3:a:python:python:3.3.0:rc3:*:*:*:*:*:*
- cpe:2.3:a:python:python:3.3.1:-:*:*:*:*:*:*
- cpe:2.3:a:python:python:3.3.0:beta1:*:*:*:*:*:*
- cpe:2.3:a:python:python:3.3.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:python:python:3.3.0:alpha4:*:*:*:*:*:*
- cpe:2.3:a:python:python:3.3.0:beta2:*:*:*:*:*:*
Threat overview for CVE-2013-7338
Top countries where our scanners detected CVE-2013-7338
Top open port discovered on systems with this issue
88
IPs affected by CVE-2013-7338 118
Threat actors abusing to this issue?
Yes
Find out if you* are
affected by CVE-2013-7338!
*Directly or indirectly through your vendors, service providers and 3rd parties.
Powered by
attack surface intelligence
from SecurityScorecard.
Exploit prediction scoring system (EPSS) score for CVE-2013-7338
0.62%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 76 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2013-7338
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.1
|
HIGH | AV:N/AC:M/Au:N/C:N/I:N/A:C |
8.6
|
6.9
|
NIST |
CWE ids for CVE-2013-7338
-
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.Assigned by: nvd@nist.gov (Primary)
References for CVE-2013-7338
-
http://hg.python.org/cpython/rev/79ea4ce431b1
cpython: 79ea4ce431b1Exploit;Patch;Vendor Advisory
-
http://www.securityfocus.com/bid/65179
Python 'ZipExtFile._read2()' Method Denial of Service VulnerabilityThird Party Advisory;VDB Entry
-
http://lists.opensuse.org/opensuse-updates/2014-05/msg00008.html
openSUSE-SU-2014:0597-1: moderate: update for python3Mailing List;Third Party Advisory
-
http://seclists.org/oss-sec/2014/q1/592
oss-sec: CVE request for python/zipfileMailing List;Third Party Advisory
-
http://www.securitytracker.com/id/1029973
Python Zipfile Processing Flaw Lets Remote Users Deny Service - SecurityTrackerThird Party Advisory;VDB Entry
-
https://security.gentoo.org/glsa/201503-10
Python: Multiple vulnerabilities (GLSA 201503-10) — Gentoo securityThird Party Advisory
-
http://bugs.python.org/issue20078
Issue 20078: zipfile - ZipExtFile.read goes into 100% CPU infinite loop on maliciously binary edited zips - Python trackerExploit;Patch;Vendor Advisory
-
https://docs.python.org/3.3/whatsnew/changelog.html
Changelog — Python 3.3.7 documentationVendor Advisory
-
https://support.apple.com/kb/HT205031
About the security content of OS X Yosemite v10.10.5 and Security Update 2015-006 - Apple SupportPatch;Vendor Advisory
-
http://seclists.org/oss-sec/2014/q1/595
oss-sec: Re: CVE request for python/zipfileMailing List;Third Party Advisory
-
http://lists.apple.com/archives/security-announce/2015/Aug/msg00001.html
Apple - Lists.apple.comMailing List
Jump to