Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2024-8088

Summary
Assigner-PSF
Assigner Org ID-28c92f92-d60d-412d-b760-e73465c3df22
Published At-22 Aug, 2024 | 18:45
Updated At-11 Oct, 2024 | 22:03
Rejected At-
Credits

Infinite loop when iterating over zip archive entry names from zipfile.Path

There is a HIGH severity vulnerability affecting the CPython "zipfile" module affecting "zipfile.Path". Note that the more common API "zipfile.ZipFile" class is unaffected. When iterating over names of entries in a zip archive (for example, methods of "zipfile.Path" like "namelist()", "iterdir()", etc) the process can be put into an infinite loop with a maliciously crafted zip archive. This defect applies when reading only metadata or extracting the contents of the zip archive. Programs that are not handling user-controlled zip archives are not affected.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:PSF
Assigner Org ID:28c92f92-d60d-412d-b760-e73465c3df22
Published At:22 Aug, 2024 | 18:45
Updated At:11 Oct, 2024 | 22:03
Rejected At:
▼CVE Numbering Authority (CNA)
Infinite loop when iterating over zip archive entry names from zipfile.Path

There is a HIGH severity vulnerability affecting the CPython "zipfile" module affecting "zipfile.Path". Note that the more common API "zipfile.ZipFile" class is unaffected. When iterating over names of entries in a zip archive (for example, methods of "zipfile.Path" like "namelist()", "iterdir()", etc) the process can be put into an infinite loop with a maliciously crafted zip archive. This defect applies when reading only metadata or extracting the contents of the zip archive. Programs that are not handling user-controlled zip archives are not affected.

Affected Products
Vendor
Python Software FoundationPython Software Foundation
Product
CPython
Repo
https://github.com/python/cpython
Default Status
unaffected
Versions
Affected
  • From 0 before 3.8.20 (python)
  • From 3.9.0 before 3.9.20 (python)
  • From 3.10.0 before 3.10.15 (python)
  • From 3.11.0 before 3.11.10 (python)
  • From 3.12.0 before 3.12.6 (python)
  • From 3.13.0a1 before 3.13.0rc2 (python)
Problem Types
TypeCWE IDDescription
CWECWE-835CWE-835 Loop with Unreachable Exit Condition ('Infinite Loop')
Type: CWE
CWE ID: CWE-835
Description: CWE-835 Loop with Unreachable Exit Condition ('Infinite Loop')
Metrics
VersionBase scoreBase severityVector
4.08.7HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/S:N/AU:N/R:U/RE:L
Version: 4.0
Base score: 8.7
Base severity: HIGH
Vector:
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/S:N/AU:N/R:U/RE:L
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
remediation developer
Jason R. Coombs
coordinator
Seth Larson
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://mail.python.org/archives/list/security-announce@python.org/thread/GNFCKVI4TCATKQLALJ5SN4L4CSPSMILU/
vendor-advisory
https://github.com/python/cpython/pull/122906
patch
https://github.com/python/cpython/issues/122905
issue-tracking
https://github.com/python/cpython/commit/795f2597a4be988e2bb19b69ff9958e981cb894e
patch
https://github.com/python/cpython/commit/8c7348939d8a3ecd79d630075f6be1b0c5b41f64
patch
https://github.com/python/cpython/commit/dcc5182f27c1500006a1ef78e10613bb45788dea
patch
https://github.com/python/cpython/commit/e0264a61119d551658d9445af38323ba94fc16db
patch
https://github.com/python/cpython/issues/123270
issue-tracking
https://github.com/python/cpython/commit/2231286d78d328c2f575e0b05b16fe447d1656d6
patch
https://github.com/python/cpython/commit/7e8883a3f04d308302361aeffc73e0e9837f19d4
patch
https://github.com/python/cpython/commit/95b073bddefa6243effa08e131e297c0383e7f6a
patch
https://github.com/python/cpython/commit/7bc367e464ce50b956dd232c1dfa1cad4e7fb814
patch
https://github.com/python/cpython/commit/962055268ed4f2ca1d717bfc8b6385de50a23ab7
patch
https://github.com/python/cpython/commit/fc0b8259e693caa8400fa8b6ac1e494e47ea7798
patch
https://github.com/python/cpython/commit/0aa1ee22ab6e204e9d3d0e9dd63ea648ed691ef1
patch
Hyperlink: https://mail.python.org/archives/list/security-announce@python.org/thread/GNFCKVI4TCATKQLALJ5SN4L4CSPSMILU/
Resource:
vendor-advisory
Hyperlink: https://github.com/python/cpython/pull/122906
Resource:
patch
Hyperlink: https://github.com/python/cpython/issues/122905
Resource:
issue-tracking
Hyperlink: https://github.com/python/cpython/commit/795f2597a4be988e2bb19b69ff9958e981cb894e
Resource:
patch
Hyperlink: https://github.com/python/cpython/commit/8c7348939d8a3ecd79d630075f6be1b0c5b41f64
Resource:
patch
Hyperlink: https://github.com/python/cpython/commit/dcc5182f27c1500006a1ef78e10613bb45788dea
Resource:
patch
Hyperlink: https://github.com/python/cpython/commit/e0264a61119d551658d9445af38323ba94fc16db
Resource:
patch
Hyperlink: https://github.com/python/cpython/issues/123270
Resource:
issue-tracking
Hyperlink: https://github.com/python/cpython/commit/2231286d78d328c2f575e0b05b16fe447d1656d6
Resource:
patch
Hyperlink: https://github.com/python/cpython/commit/7e8883a3f04d308302361aeffc73e0e9837f19d4
Resource:
patch
Hyperlink: https://github.com/python/cpython/commit/95b073bddefa6243effa08e131e297c0383e7f6a
Resource:
patch
Hyperlink: https://github.com/python/cpython/commit/7bc367e464ce50b956dd232c1dfa1cad4e7fb814
Resource:
patch
Hyperlink: https://github.com/python/cpython/commit/962055268ed4f2ca1d717bfc8b6385de50a23ab7
Resource:
patch
Hyperlink: https://github.com/python/cpython/commit/fc0b8259e693caa8400fa8b6ac1e494e47ea7798
Resource:
patch
Hyperlink: https://github.com/python/cpython/commit/0aa1ee22ab6e204e9d3d0e9dd63ea648ed691ef1
Resource:
patch
▼Authorized Data Publishers (ADP)
1. CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
http://www.openwall.com/lists/oss-security/2024/08/22/1
N/A
http://www.openwall.com/lists/oss-security/2024/08/22/4
N/A
http://www.openwall.com/lists/oss-security/2024/08/23/1
N/A
http://www.openwall.com/lists/oss-security/2024/08/23/2
N/A
https://security.netapp.com/advisory/ntap-20241011-0010/
N/A
Hyperlink: http://www.openwall.com/lists/oss-security/2024/08/22/1
Resource: N/A
Hyperlink: http://www.openwall.com/lists/oss-security/2024/08/22/4
Resource: N/A
Hyperlink: http://www.openwall.com/lists/oss-security/2024/08/23/1
Resource: N/A
Hyperlink: http://www.openwall.com/lists/oss-security/2024/08/23/2
Resource: N/A
Hyperlink: https://security.netapp.com/advisory/ntap-20241011-0010/
Resource: N/A
2. CISA ADP Vulnrichment
Affected Products
Vendor
Python Software Foundationpython_software_foundation
Product
cpython
CPEs
  • cpe:2.3:a:python_software_foundation:cpython:*:*:*:*:*:*:*:*
Default Status
unknown
Versions
Affected
  • From 0 through 3.13.0 (custom)
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:cna@python.org
Published At:22 Aug, 2024 | 19:15
Updated At:04 Sep, 2024 | 23:15

There is a HIGH severity vulnerability affecting the CPython "zipfile" module affecting "zipfile.Path". Note that the more common API "zipfile.ZipFile" class is unaffected. When iterating over names of entries in a zip archive (for example, methods of "zipfile.Path" like "namelist()", "iterdir()", etc) the process can be put into an infinite loop with a maliciously crafted zip archive. This defect applies when reading only metadata or extracting the contents of the zip archive. Programs that are not handling user-controlled zip archives are not affected.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary4.08.7HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:N/R:U/V:X/RE:L/U:X
Type: Secondary
Version: 4.0
Base score: 8.7
Base severity: HIGH
Vector:
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:N/R:U/V:X/RE:L/U:X
CPE Matches
Weaknesses
CWE IDTypeSource
CWE-835Secondarycna@python.org
CWE ID: CWE-835
Type: Secondary
Source: cna@python.org
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://github.com/python/cpython/commit/0aa1ee22ab6e204e9d3d0e9dd63ea648ed691ef1cna@python.org
N/A
https://github.com/python/cpython/commit/2231286d78d328c2f575e0b05b16fe447d1656d6cna@python.org
N/A
https://github.com/python/cpython/commit/795f2597a4be988e2bb19b69ff9958e981cb894ecna@python.org
N/A
https://github.com/python/cpython/commit/7bc367e464ce50b956dd232c1dfa1cad4e7fb814cna@python.org
N/A
https://github.com/python/cpython/commit/7e8883a3f04d308302361aeffc73e0e9837f19d4cna@python.org
N/A
https://github.com/python/cpython/commit/8c7348939d8a3ecd79d630075f6be1b0c5b41f64cna@python.org
N/A
https://github.com/python/cpython/commit/95b073bddefa6243effa08e131e297c0383e7f6acna@python.org
N/A
https://github.com/python/cpython/commit/962055268ed4f2ca1d717bfc8b6385de50a23ab7cna@python.org
N/A
https://github.com/python/cpython/commit/dcc5182f27c1500006a1ef78e10613bb45788deacna@python.org
N/A
https://github.com/python/cpython/commit/e0264a61119d551658d9445af38323ba94fc16dbcna@python.org
N/A
https://github.com/python/cpython/commit/fc0b8259e693caa8400fa8b6ac1e494e47ea7798cna@python.org
N/A
https://github.com/python/cpython/issues/122905cna@python.org
N/A
https://github.com/python/cpython/issues/123270cna@python.org
N/A
https://github.com/python/cpython/pull/122906cna@python.org
N/A
https://mail.python.org/archives/list/security-announce@python.org/thread/GNFCKVI4TCATKQLALJ5SN4L4CSPSMILU/cna@python.org
N/A
Hyperlink: https://github.com/python/cpython/commit/0aa1ee22ab6e204e9d3d0e9dd63ea648ed691ef1
Source: cna@python.org
Resource: N/A
Hyperlink: https://github.com/python/cpython/commit/2231286d78d328c2f575e0b05b16fe447d1656d6
Source: cna@python.org
Resource: N/A
Hyperlink: https://github.com/python/cpython/commit/795f2597a4be988e2bb19b69ff9958e981cb894e
Source: cna@python.org
Resource: N/A
Hyperlink: https://github.com/python/cpython/commit/7bc367e464ce50b956dd232c1dfa1cad4e7fb814
Source: cna@python.org
Resource: N/A
Hyperlink: https://github.com/python/cpython/commit/7e8883a3f04d308302361aeffc73e0e9837f19d4
Source: cna@python.org
Resource: N/A
Hyperlink: https://github.com/python/cpython/commit/8c7348939d8a3ecd79d630075f6be1b0c5b41f64
Source: cna@python.org
Resource: N/A
Hyperlink: https://github.com/python/cpython/commit/95b073bddefa6243effa08e131e297c0383e7f6a
Source: cna@python.org
Resource: N/A
Hyperlink: https://github.com/python/cpython/commit/962055268ed4f2ca1d717bfc8b6385de50a23ab7
Source: cna@python.org
Resource: N/A
Hyperlink: https://github.com/python/cpython/commit/dcc5182f27c1500006a1ef78e10613bb45788dea
Source: cna@python.org
Resource: N/A
Hyperlink: https://github.com/python/cpython/commit/e0264a61119d551658d9445af38323ba94fc16db
Source: cna@python.org
Resource: N/A
Hyperlink: https://github.com/python/cpython/commit/fc0b8259e693caa8400fa8b6ac1e494e47ea7798
Source: cna@python.org
Resource: N/A
Hyperlink: https://github.com/python/cpython/issues/122905
Source: cna@python.org
Resource: N/A
Hyperlink: https://github.com/python/cpython/issues/123270
Source: cna@python.org
Resource: N/A
Hyperlink: https://github.com/python/cpython/pull/122906
Source: cna@python.org
Resource: N/A
Hyperlink: https://mail.python.org/archives/list/security-announce@python.org/thread/GNFCKVI4TCATKQLALJ5SN4L4CSPSMILU/
Source: cna@python.org
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

1Records found
CVE-2025-8194
Matching Score-6
Assigner-Python Software Foundation
ShareView Details
Matching Score-6
Assigner-Python Software Foundation
CVSS Score-7.5||HIGH
EPSS-0.09% / 26.02%
||
7 Day CHG~0.00%
Published-28 Jul, 2025 | 18:42
Updated-14 Aug, 2025 | 18:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Tarfile infinite loop during parsing with negative member offset

There is a defect in the CPython “tarfile” module affecting the “TarFile” extraction and entry enumeration APIs. The tar implementation would process tar archives with negative offsets without error, resulting in an infinite loop and deadlock during the parsing of maliciously crafted tar archives. This vulnerability can be mitigated by including the following patch after importing the “tarfile” module:  https://gist.github.com/sethmlarson/1716ac5b82b73dbcbf23ad2eff8b33e1

Action-Not Available
Vendor-Python Software Foundation
Product-CPython
CWE ID-CWE-835
Loop with Unreachable Exit Condition ('Infinite Loop')
Details not found