Vulnerability Details : CVE-2024-0450
An issue was found in the CPython `zipfile` module affecting versions 3.12.1, 3.11.7, 3.10.13, 3.9.18, and 3.8.18 and prior.
The zipfile module is vulnerable to “quoted-overlap” zip-bombs which exploit the zip format to create a zip-bomb with a high compression ratio. The fixed versions of CPython makes the zipfile module reject zip archives which overlap entries in the archive.
Products affected by CVE-2024-0450
Please log in to view affected product information.
Exploit prediction scoring system (EPSS) score for CVE-2024-0450
0.17%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 40 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2024-0450
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
6.2
|
MEDIUM | CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
2.5
|
3.6
|
Python Software Foundation | 2024-03-19 |
CWE ids for CVE-2024-0450
-
The product does not properly control situations in which an adversary can cause the product to consume or produce excessive resources without requiring the adversary to invest equivalent work or otherwise prove authorization, i.e., the adversary's influence is "asymmetric."Assigned by: cna@python.org (Secondary)
References for CVE-2024-0450
-
https://github.com/python/cpython/commit/30fe5d853b56138dbec62432d370a1f99409fc85
[3.10] gh-109858: Protect zipfile from "quoted-overlap" zipbomb (GH-1… · python/cpython@30fe5d8 · GitHub
-
https://github.com/python/cpython/commit/a956e510f6336d5ae111ba429a61c3ade30a7549
[3.11] gh-109858: Protect zipfile from "quoted-overlap" zipbomb (GH-1… · python/cpython@a956e51 · GitHub
-
https://mail.python.org/archives/list/security-announce@python.org/thread/XELNUX2L3IOHBTFU7RQHCY6OUVEWZ2FG/
Mailman 3 [CVE-2024-0450] Quoted zip-bomb protection for zipfile - Security-announce - python.org
-
https://security.netapp.com/advisory/ntap-20250411-0005/
-
https://lists.debian.org/debian-lts-announce/2024/03/msg00024.html
[SECURITY] [DLA 3771-1] python2.7 security update
-
https://lists.debian.org/debian-lts-announce/2024/03/msg00025.html
[SECURITY] [DLA 3772-1] python3.7 security update
-
https://github.com/python/cpython/commit/66363b9a7b9fe7c99eba3a185b74c5fdbf842eba
gh-109858: Protect zipfile from "quoted-overlap" zipbomb (GH-110016) · python/cpython@66363b9 · GitHub
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T3IGRX54M7RNCQOXVQO5KQKTGWCOABIM/
[SECURITY] Fedora 39 Update: python3.6-3.6.15-28.fc39 - package-announce - Fedora Mailing-Lists
-
https://github.com/python/cpython/commit/d05bac0b74153beb541b88b4fca33bf053990183
[3.8] gh-109858: Protect zipfile from "quoted-overlap" zipbomb (GH-11… · python/cpython@d05bac0 · GitHub
-
https://github.com/python/cpython/commit/a2c59992e9e8d35baba9695eb186ad6c6ff85c51
[3.9] gh-109858: Protect zipfile from "quoted-overlap" zipbomb (GH-11… · python/cpython@a2c5999 · GitHub
-
https://github.com/python/cpython/issues/109858
Python "zipfile" can't detect "quoted-overlap" zipbomb that can be used as a DoS attack · Issue #109858 · python/cpython · GitHub
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U5VHWS52HGD743C47UMCSAK2A773M2YE/
[SECURITY] Fedora 40 Update: python3.6-3.6.15-30.fc40 - package-announce - Fedora Mailing-Lists
-
https://github.com/python/cpython/commit/70497218351ba44bffc8b571201ecb5652d84675
Add @requires_zlib() decorator for gh-109858 tests (GH-113918) · python/cpython@7049721 · GitHub
-
http://www.openwall.com/lists/oss-security/2024/03/20/5
oss-security - Security fixes in Python 3.10.14, 3.9.19, and 3.8.19 (CVE-2023-6597 & CVE-2024-0450)
-
https://github.com/python/cpython/commit/fa181fcf2156f703347b03a3b1966ce47be8ab3b
[3.12] gh-109858: Protect zipfile from "quoted-overlap" zipbomb (GH-1… · python/cpython@fa181fc · GitHub
-
https://www.bamsoftware.com/hacks/zipbomb/
A better zip bomb
Jump to