CVE-2024-11612

EUVD-2024-33917

22.11.2024, 21:15

7-Zip CopyCoder Infinite Loop Denial-of-Service Vulnerability. This vulnerability allows remote attackers to create a denial-of-service condition on affected installations of 7-Zip. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation.

The specific flaw exists within the processing of streams. The issue results from a logic error that can lead to an infinite loop. An attacker can leverage this vulnerability to create a denial-of-service condition on the system. Was ZDI-CAN-24307.

Infinite Loop

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	6.5 MEDIUM	NETWORK	LOW	NONE	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
zdi	CNA	6.5 MEDIUM				CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 38%

Affected Products (NVD)

Vendor	Product	Version
7-zip	7-zip	24.06 ≤ 𝑥 < 24.08

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

7zip

bookworm	unimportant
forky	25.01+dfsg-5 fixed
sid	25.01+dfsg-5 fixed
trixie	25.01+dfsg-1~deb13u1 fixed

p7zip

bookworm	unimportant
bullseye	unimportant
trixie	16.02+transitional.1 fixed

Ubuntu Releases

Ubuntu Product

Codename

7zip

focal	dne
jammy	deferred
noble	deferred
oracular	not-affected
plucky	not-affected
questing	not-affected

p7zip

bionic	deferred
focal	deferred
jammy	deferred
noble	not-affected
oracular	not-affected
plucky	not-affected
questing	not-affected
trusty	deferred
xenial	deferred

Common Weakness Enumeration

CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')
The program contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop.

References

https://www.zerodayinitiative.com/advisories/ZDI-24-1606/