Vulnerability Details : CVE-2019-20907
In Lib/tarfile.py in Python through 3.8.3, an attacker is able to craft a TAR archive leading to an infinite loop when opened by tarfile.open, because _proc_pax lacks header validation.
Products affected by CVE-2019-20907
- cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:zfs_storage_appliance_kit:8.8:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:esm:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:esm:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:20.04:*:*:*:lts:*:*:*
- cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*
- cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*
- cpe:2.3:o:opensuse:leap:15.2:*:*:*:*:*:*:*
- cpe:2.3:a:netapp:active_iq_unified_manager:*:*:*:*:*:vsphere:*:*
- cpe:2.3:a:netapp:cloud_volumes_ontap_mediator:-:*:*:*:*:*:*:*
- cpe:2.3:a:python:python:*:*:*:*:*:*:*:*
- cpe:2.3:a:python:python:*:*:*:*:*:*:*:*
- cpe:2.3:a:python:python:*:*:*:*:*:*:*:*
- cpe:2.3:a:python:python:*:*:*:*:*:*:*:*
Threat overview for CVE-2019-20907
Top countries where our scanners detected CVE-2019-20907
Top open port discovered on systems with this issue
80
IPs affected by CVE-2019-20907 177,995
Threat actors abusing to this issue?
Yes
Find out if you* are
affected by CVE-2019-20907!
*Directly or indirectly through your vendors, service providers and 3rd parties.
Powered by
attack surface intelligence
from SecurityScorecard.
Exploit prediction scoring system (EPSS) score for CVE-2019-20907
1.18%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 85 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2019-20907
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:N/I:N/A:P |
10.0
|
2.9
|
NIST | |
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
3.9
|
3.6
|
NIST |
CWE ids for CVE-2019-20907
-
The product contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop.Assigned by: nvd@nist.gov (Primary)
References for CVE-2019-20907
-
https://usn.ubuntu.com/4428-1/
USN-4428-1: Python vulnerabilities | Ubuntu security notices | UbuntuThird Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YILCHHTNLH4GG4GSQBX2MZRKZBXOLCKE/
[SECURITY] Fedora 32 Update: python36-3.6.11-3.fc32 - package-announce - Fedora Mailing-ListsThird Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/V53P2YOLEQH4J7S5QHXMKMZYFTVVMTMO/
[SECURITY] Fedora 31 Update: python3-3.7.8-2.fc31 - package-announce - Fedora Mailing-ListsThird Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LE4O3PNDNNOMSKHNUKZKD3NGHIFUFDPX/
Third Party Advisory
-
https://security.netapp.com/advisory/ntap-20200731-0002/
CVE-2019-20907 Python Vulnerability in NetApp Products | NetApp Product SecurityThird Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TOGKLGTXZLHQQFBVCAPSUDA6DOOJFNRY/
503 Service UnavailableThird Party Advisory
-
https://lists.debian.org/debian-lts-announce/2023/05/msg00024.html
[SECURITY] [DLA 3432-1] python2.7 security update
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VT4AF72TJ2XNIKCR4WEBR7URBJJ4YZRD/
[SECURITY] Fedora 32 Update: mingw-python3-3.8.3-3.fc32 - package-announce - Fedora Mailing-ListsThird Party Advisory
-
https://github.com/python/cpython/pull/21454
bpo-39017 Fix infinite loop in the tarfile module by rishi93 · Pull Request #21454 · python/cpython · GitHubPatch;Third Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CNHPQGSP2YM3JAUD2VAMPXTIUQTZ2M2U/
[SECURITY] Fedora 31 Update: python36-3.6.11-3.fc31 - package-announce - Fedora Mailing-ListsThird Party Advisory
-
https://www.oracle.com/security-alerts/cpujan2021.html
Oracle Critical Patch Update Advisory - January 2021Patch;Third Party Advisory
-
http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00051.html
[security-announce] openSUSE-SU-2020:1254-1: moderate: Security update fMailing List;Third Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PDKKRXLNVXRF6VGERZSR3OMQR5D5QI6I/
[SECURITY] Fedora 31 Update: python2-2.7.18-2.fc31 - package-announce - Fedora Mailing-ListsThird Party Advisory
-
http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00053.html
[security-announce] openSUSE-SU-2020:1258-1: moderate: Security update fMailing List;Third Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YSL3XWVDMSMKO23HR74AJQ6VEM3C2NTS/
Third Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/36XI3EEQNMHGOZEI63Y7UV6XZRELYEAU/
[SECURITY] Fedora 31 Update: python35-3.5.9-9.fc31 - package-announce - Fedora Mailing-ListsThird Party Advisory
-
https://security.gentoo.org/glsa/202008-01
Python: Multiple vulnerabilities (GLSA 202008-01) — Gentoo securityThird Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NTBKKOLFFNHG6CM4ACDX4APHSD5ZX5N4/
Third Party Advisory
-
http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00052.html
[security-announce] openSUSE-SU-2020:1257-1: moderate: Security update fMailing List;Third Party Advisory
-
https://lists.debian.org/debian-lts-announce/2020/08/msg00034.html
[SECURITY] [DLA 2337-1] python2.7 security updateMailing List;Third Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CAXHCY4V3LPAAJOBCJ26ISZ4NUXQXTUZ/
Third Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CTUNTBJ3POHONQOTLEZC46POCIYYTAKZ/
[SECURITY] Fedora 32 Update: python35-3.5.9-9.fc32 - package-announce - Fedora Mailing-ListsThird Party Advisory
-
http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00056.html
[security-announce] openSUSE-SU-2020:1265-1: moderate: Security update fMailing List;Third Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OXI72HIHMXCQFWTULUXDG7VDA2BCYL4Y/
[SECURITY] Fedora 32 Update: python34-3.4.10-11.fc32 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/V3TALOUBYU2MQD4BPLRTDQUMBKGCAXUA/
[SECURITY] Fedora 32 Update: python3-docs-3.8.5-1.fc32 - package-announce - Fedora Mailing-ListsThird Party Advisory
-
https://bugs.python.org/issue39017
Issue 39017: Infinite loop in the tarfile module - Python trackerIssue Tracking;Vendor Advisory
-
https://lists.debian.org/debian-lts-announce/2020/11/msg00032.html
[SECURITY] [DLA 2456-1] python3.5 security updateMailing List;Third Party Advisory
Jump to