GHSA-jfmj-5v4g-7637

Suggest an improvement
Source
https://github.com/advisories/GHSA-jfmj-5v4g-7637
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/07/GHSA-jfmj-5v4g-7637/GHSA-jfmj-5v4g-7637.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-jfmj-5v4g-7637
Aliases
Published
2024-07-09T00:31:40Z
Modified
2024-07-09T17:42:31.814025Z
Severity
  • 6.2 (Medium) CVSS_V3 - CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
  • 6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVSS Calculator
Summary
zipp Denial of Service vulnerability
Details

A Denial of Service (DoS) vulnerability exists in the jaraco/zipp library, affecting all versions prior to 3.19.1. The vulnerability is triggered when processing a specially crafted zip file that leads to an infinite loop. This issue also impacts the zipfile module of CPython, as features from the third-party zipp library are later merged into CPython, and the affected code is identical in both projects. The infinite loop can be initiated through the use of functions affecting the Path module in both zipp and zipfile, such as joinpath, the overloaded division operator, and iterdir. Although the infinite loop is not resource exhaustive, it prevents the application from responding. The vulnerability was addressed in version 3.19.1 of jaraco/zipp.

References

Affected packages

PyPI / zipp

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.19.1

Affected versions

0.*

0.1.0
0.2.0
0.2.1
0.3.0
0.3.1
0.3.2
0.3.3
0.4.0
0.5.0
0.5.1
0.5.2
0.6.0

1.*

1.0.0
1.1.0
1.1.1
1.2.0

2.*

2.0.0
2.0.1
2.1.0
2.2.0
2.2.1

3.*

3.0.0
3.1.0
3.2.0
3.3.0
3.3.1
3.3.2
3.4.0
3.4.1
3.4.2
3.5.0
3.5.1
3.6.0
3.7.0
3.8.0
3.8.1
3.9.0
3.9.1
3.10.0
3.11.0
3.12.0
3.12.1
3.13.0
3.14.0
3.15.0
3.16.0
3.16.1
3.16.2
3.17.0
3.18.0
3.18.1
3.18.2
3.19.0