Headline
GHSA-jfmj-5v4g-7637: zipp Denial of Service vulnerability
A Denial of Service (DoS) vulnerability exists in the jaraco/zipp library, affecting all versions prior to 3.19.1. The vulnerability is triggered when processing a specially crafted zip file that leads to an infinite loop. This issue also impacts the zipfile module of CPython, as features from the third-party zipp library are later merged into CPython, and the affected code is identical in both projects. The infinite loop can be initiated through the use of functions affecting the Path
module in both zipp and zipfile, such as joinpath
, the overloaded division operator, and iterdir
. Although the infinite loop is not resource exhaustive, it prevents the application from responding. The vulnerability was addressed in version 3.19.1 of jaraco/zipp.
Skip to content
Navigation Menu
Actions
Automate any workflow
Packages
Host and manage packages
Security
Find and fix vulnerabilities
Codespaces
Instant dev environments
GitHub Copilot
Write better code with AI
Code review
Manage code changes
Issues
Plan and track work
Discussions
Collaborate outside of code
GitHub Sponsors
Fund open source developers
* The ReadME Project
GitHub community articles
Enterprise platform
AI-powered developer platform
- Pricing
Provide feedback
Saved searches****Use saved searches to filter your results more quickly
Sign up
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2024-5569
zipp Denial of Service vulnerability
Moderate severity GitHub Reviewed Published Jul 9, 2024 to the GitHub Advisory Database • Updated Jul 9, 2024
Affected versions
< 3.19.1
Description
A Denial of Service (DoS) vulnerability exists in the jaraco/zipp library, affecting all versions prior to 3.19.1. The vulnerability is triggered when processing a specially crafted zip file that leads to an infinite loop. This issue also impacts the zipfile module of CPython, as features from the third-party zipp library are later merged into CPython, and the affected code is identical in both projects. The infinite loop can be initiated through the use of functions affecting the Path module in both zipp and zipfile, such as joinpath, the overloaded division operator, and iterdir. Although the infinite loop is not resource exhaustive, it prevents the application from responding. The vulnerability was addressed in version 3.19.1 of jaraco/zipp.
References
- https://nvd.nist.gov/vuln/detail/CVE-2024-5569
- jaraco/zipp@fd604bd
- https://huntr.com/bounties/be898306-11f9-46b4-b28c-f4c4aa4ffbae
Published to the GitHub Advisory Database
Jul 9, 2024
Related news
Red Hat Security Advisory 2024-9977-03 - An update for python-zipp is now available for Red Hat OpenStack Platform 17.1. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2024-8906-03 - A new release is now available for Red Hat Satellite 6.16 for RHEL 8 and 9. Issues addressed include bypass, denial of service, memory leak, remote SQL injection, and traversal vulnerabilities.
Red Hat Security Advisory 2024-8232-03 - Red Hat OpenShift Container Platform release 4.17.2 is now available with updates to packages and images that fix several bugs and add enhancements. Issues addressed include a denial of service vulnerability.
Red Hat Security Advisory 2024-6428-03 - An update is now available for Red Hat Ansible Automation Platform 2.4. Issues addressed include denial of service, memory exhaustion, remote SQL injection, and traversal vulnerabilities.
Ubuntu Security Notice 6906-1 - It was discovered that python-zipp did not properly handle the zip files with malformed names. An attacker could possibly use this issue to cause a denial of service.