| Vulnerability Name: | CVE-2013-7338 (CCN-90795) | ||||||||||||||||
| Assigned: | 2014-01-04 | ||||||||||||||||
| Published: | 2014-01-04 | ||||||||||||||||
| Updated: | 2019-08-21 | ||||||||||||||||
| Summary: | Python before 3.3.4 RC1 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a file size value larger than the size of the zip file to the (1) ZipExtFile.read, (2) ZipExtFile.read(n), (3) ZipExtFile.readlines, (4) ZipFile.extract, or (5) ZipFile.extractall function. | ||||||||||||||||
| CVSS v3 Severity: | 5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
| ||||||||||||||||
| CVSS v2 Severity: | 7.1 High (CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:N/A:C) 5.3 Medium (Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:N/A:C/E:U/RL:OF/RC:C)
3.7 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P/E:U/RL:OF/RC:C)
| ||||||||||||||||
| Vulnerability Type: | CWE-20 | ||||||||||||||||
| Vulnerability Consequences: | Denial of Service | ||||||||||||||||
| References: | Source: CCN Type: Python Web site zipfile - ZipExtFile.read goes into 100% CPU infinite loop on maliciously binary edited zips Source: CONFIRM Type: Exploit, Patch, Vendor Advisory http://bugs.python.org/issue20078 Source: MITRE Type: CNA CVE-2013-7338 Source: CONFIRM Type: Exploit, Patch, Vendor Advisory http://hg.python.org/cpython/rev/79ea4ce431b1 Source: APPLE Type: Mailing List APPLE-SA-2015-08-13-2 Source: SUSE Type: Mailing List, Third Party Advisory openSUSE-SU-2014:0597 Source: CCN Type: oss-security Mailing List, Tue 18 Mar 2014 CVE request for python/zipfile Source: MLIST Type: Mailing List, Third Party Advisory [oss-security] 20140318 CVE request for python/zipfile Source: MLIST Type: Mailing List, Third Party Advisory [oss-security] 20140319 Re: CVE request for python/zipfile Source: CCN Type: SA56627 Python "ZipExtFile._read2()" Denial of Service Vulnerability Source: BID Type: Third Party Advisory, VDB Entry 65179 Source: CCN Type: BID-65179 Python 'ZipExtFile._read2()' Method Denial of Service Vulnerability Source: SECTRACK Type: Third Party Advisory, VDB Entry 1029973 Source: CONFIRM Type: Vendor Advisory https://docs.python.org/3.3/whatsnew/changelog.html Source: XF Type: UNKNOWN python-zipextfile-dos(90795) Source: GENTOO Type: Third Party Advisory GLSA-201503-10 Source: CONFIRM Type: Patch, Vendor Advisory https://support.apple.com/kb/HT205031 | ||||||||||||||||
| Vulnerable Configuration: | Configuration 1: Configuration 2: Configuration CCN 1:  Denotes that component is vulnerable | ||||||||||||||||
| Oval Definitions | |||||||||||||||||
| |||||||||||||||||
| BACK | |||||||||||||||||