BIT-python-min-2024-0450

See a problem?
Import Source
https://github.com/bitnami/vulndb/tree/main/data/python-min/BIT-python-min-2024-0450.json
JSON Data
https://api.test.osv.dev/v1/vulns/BIT-python-min-2024-0450
Aliases
Published
2025-01-17T15:06:28.314Z
Modified
2025-05-20T10:02:07.006Z
Summary
Quoted zip-bomb protection for zipfile
Details

An issue was found in the CPython zipfile module affecting versions 3.12.1, 3.11.7, 3.10.13, 3.9.18, and 3.8.18 and prior.

The zipfile module is vulnerable to “quoted-overlap” zip-bombs which exploit the zip format to create a zip-bomb with a high compression ratio. The fixed versions of CPython makes the zipfile module reject zip archives which overlap entries in the archive.

Database specific
{
    "cpes": [
        "cpe:2.3:a:python:python:*:*:*:*:*:*:*:*"
    ],
    "severity": "Medium"
}
References

Affected packages

Bitnami / python-min

Package

Name
python-min
Purl
pkg:bitnami/python-min

Severity

  • 6.2 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.8.19
Introduced
3.9.0
Fixed
3.9.19
Introduced
3.10.0
Fixed
3.10.14
Introduced
3.11.0
Fixed
3.11.8
Introduced
3.12.0
Fixed
3.12.2