CVE-2024-6232

There is a MEDIUM severity vulnerability affecting CPython.





Regular expressions that allowed excessive backtracking during tarfile.TarFile header parsing are vulnerable to ReDoS via specifically-crafted tar archives.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
PSFCNA
---
---
CISA-ADPADP
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 71%
VendorProductVersion
pythonpython
𝑥
< 3.8.20
pythonpython
3.9.0 ≤
𝑥
< 3.9.20
pythonpython
3.10.0 ≤
𝑥
< 3.10.15
pythonpython
3.11.0 ≤
𝑥
< 3.11.10
pythonpython
3.12.0 ≤
𝑥
< 3.12.6
pythonpython
3.13.0:alpha0
pythonpython
3.13.0:alpha1
pythonpython
3.13.0:alpha2
pythonpython
3.13.0:alpha3
pythonpython
3.13.0:alpha4
pythonpython
3.13.0:alpha5
pythonpython
3.13.0:alpha6
pythonpython
3.13.0:beta1
pythonpython
3.13.0:beta2
pythonpython
3.13.0:beta3
pythonpython
3.13.0:beta4
pythonpython
3.13.0:rc1
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
python2.7
bullseye
vulnerable
python3.11
bookworm
3.11.2-6+deb12u6
fixed
bullseye
ignored
bookworm (security)
vulnerable
python3.12
sid
3.12.10-1
fixed
bullseye
ignored
python3.13
trixie
3.13.3-2
fixed
bullseye
ignored
sid
3.13.3-4
fixed
python3.9
bullseye
vulnerable
bullseye (security)
3.9.2-1+deb11u3
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
python2.7
plucky
dne
oracular
dne
noble
dne
jammy
Fixed 2.7.18-13ubuntu1.3
released
focal
Fixed 2.7.18-1~20.04.5
released
bionic
not-affected
xenial
Fixed 2.7.12-1ubuntu0~16.04.18+esm12
released
trusty
Fixed 2.7.6-8ubuntu0.6+esm21
released
python3.10
plucky
dne
oracular
dne
noble
dne
jammy
Fixed 3.10.12-1~22.04.6
released
focal
dne
bionic
dne
xenial
dne
trusty
dne
python3.11
plucky
dne
oracular
dne
noble
dne
jammy
Fixed 3.11.0~rc1-1~22.04.1~esm2
released
focal
dne
bionic
dne
xenial
dne
trusty
dne
python3.12
plucky
dne
oracular
not-affected
noble
Fixed 3.12.3-1ubuntu0.2
released
jammy
dne
focal
dne
bionic
dne
xenial
dne
trusty
dne
python3.13
plucky
not-affected
oracular
not-affected
noble
dne
jammy
dne
focal
dne
bionic
dne
xenial
dne
trusty
dne
python3.4
plucky
dne
oracular
dne
noble
dne
jammy
dne
focal
dne
bionic
dne
xenial
dne
trusty
Fixed 3.4.3-1ubuntu1~14.04.7+esm14
released
python3.5
plucky
dne
oracular
dne
noble
dne
jammy
dne
focal
dne
bionic
dne
xenial
Fixed 3.5.2-2ubuntu0~16.04.13+esm14
released
trusty
Fixed 3.5.2-2ubuntu0~16.04.4~14.04.1+esm3
released
python3.6
plucky
dne
oracular
dne
noble
dne
jammy
dne
focal
dne
bionic
Fixed 3.6.9-1~18.04ubuntu1.13+esm3
released
xenial
dne
trusty
dne
python3.7
plucky
dne
oracular
dne
noble
dne
jammy
dne
focal
dne
bionic
Fixed 3.7.5-2ubuntu1~18.04.2+esm4
released
xenial
dne
trusty
dne
python3.8
plucky
dne
oracular
dne
noble
dne
jammy
dne
focal
Fixed 3.8.10-0ubuntu1~20.04.12
released
bionic
Fixed 3.8.0-3ubuntu1~18.04.2+esm3
released
xenial
dne
trusty
dne
python3.9
plucky
dne
oracular
dne
noble
dne
jammy
dne
focal
Fixed 3.9.5-3ubuntu0~20.04.1+esm3
released
bionic
dne
xenial
dne
trusty
dne
Common Weakness Enumeration
References
https://github.com/python/cpython/commit/34ddb64d088dd7ccc321f6103d23153256caa5d4
https://github.com/python/cpython/commit/4eaf4891c12589e3c7bdad5f5b076e4c8392dd06
https://github.com/python/cpython/commit/743acbe872485dc18df4d8ab2dc7895187f062c4
https://github.com/python/cpython/commit/7d1f50cd92ff7e10a1c15a8f591dde8a6843a64d
https://github.com/python/cpython/commit/b4225ca91547aa97ed3aca391614afbb255bc877
https://github.com/python/cpython/commit/d449caf8a179e3b954268b3a88eb9170be3c8fbf
https://github.com/python/cpython/commit/ed3a49ea734ada357ff4442996fd4ae71d253373
https://github.com/python/cpython/issues/121285
https://github.com/python/cpython/pull/121286
https://mail.python.org/archives/list/security-announce@python.org/thread/JRYFTPRHZRTLMZLWQEUHZSJXNHM4ACTY/
http://www.openwall.com/lists/oss-security/2024/09/03/5
https://security.netapp.com/advisory/ntap-20241018-0007/