CVE-2019-9674
Advisory lineage Upstream: 0 Downstream: 17
Analyzed
Published: 04 Feb 2020, 14:05
Last modified:04 Aug 2024, 21:54
Vulnerability Summary
Overall Risk (default)
medium
30/100 CVSS Score
7.5 HIGH
v3.1 (nvd)
EPSS Score
1.42% LOW
1% probability +0.26%
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected
Timeline
04 Feb 2020, 14:05
Published
Vulnerability first disclosed
04 Aug 2024, 21:54
Last Modified
Vulnerability information updated
Description
Lib/zipfile.py in Python through 3.7.2 allows remote attackers to cause a denial of service (resource consumption) via a ZIP bomb.
CVSS Metrics
- v3.1•HIGH•Score: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
- v2.0•MEDIUM•Score: 5AV:N/AC:L/Au:N/C:N/I:N/A:P
EPSS Trends
Current EPSS score: 1.42%• Percentile: 81%
Techniques & Countermeasures
- CWE-400•Uncontrolled Resource Consumption
The product does not properly control the allocation and maintenance of a limited resource.
Affected Systems
- canonical•ubuntu_linux
12.04 | 14.04 | 16.04 | 18.04 | 20.04
- netapp•active_iq_unified_manager
na
- python•python
≥ 3.2, ≤ 3.8
References (9)
- https://www.python.org/news/security/
- https://github.com/python/cpython/blob/master/Lib/zipfile.py
- https://bugs.python.org/issue36462
- https://bugs.python.org/issue36260
- https://python-security.readthedocs.io/security.html#archives-and-zip-bomb
- https://security.netapp.com/advisory/ntap-20200221-0003/
- http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00003.html
- http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00041.html
- https://usn.ubuntu.com/4428-1/