CVE-2024-0450

Summary

An issue was found in the CPython zipfile module affecting versions 3.12.1, 3.11.7, 3.10.13, 3.9.18, and 3.8.18 and prior.

The zipfile module is vulnerable to “quoted-overlap” zip-bombs which exploit the zip format to create a zip-bomb with a high compression ratio. The fixed versions of CPython makes the zipfile module reject zip archives which overlap entries in the archive.

Affected Software

VendorProductVersion RangeStatus
Python Software FoundationCPython0 < 3.8.19affected
Python Software FoundationCPython3.9.0 < 3.9.19affected
Python Software FoundationCPython3.10.0 < 3.10.14affected
Python Software FoundationCPython3.11.0 < 3.11.8affected
Python Software FoundationCPython3.12.0 < 3.12.2affected
Python Software FoundationCPython3.13.0a1 < 3.13.0a3affected

Weaknesses

  • CWE-405: CWE-405

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: partial

References