CVE-2024-7592

EUVD-2024-48488
There is a LOW severity vulnerability affecting CPython, specifically the
'http.cookies' standard library module.


When parsing cookies that contained backslashes for quoted characters in
the cookie value, the parser would use an algorithm with quadratic
complexity, resulting in excess CPU resources being used while parsing the
value.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CISA-ADPADP
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 73%
Affected Products (NVD)
VendorProductVersion
pythonpython
𝑥
< 3.8.20
pythonpython
3.9.0 ≤
𝑥
< 3.9.20
pythonpython
3.10.0 ≤
𝑥
< 3.10.15
pythonpython
3.11.0 ≤
𝑥
< 3.11.10
pythonpython
3.12.0 ≤
𝑥
< 3.12.6
pythonpython
3.13.0:alpha0
pythonpython
3.13.0:alpha1
pythonpython
3.13.0:alpha2
pythonpython
3.13.0:alpha3
pythonpython
3.13.0:alpha4
pythonpython
3.13.0:alpha5
pythonpython
3.13.0:alpha6
pythonpython
3.13.0:beta1
pythonpython
3.13.0:beta2
pythonpython
3.13.0:beta3
pythonpython
3.13.0:beta4
pythonpython
3.13.0:rc1
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
pypy3
bookworm
no-dsa
bullseye
vulnerable
bullseye (security)
7.3.5+dfsg-2+deb11u5
fixed
forky
7.3.20+dfsg-4
fixed
sid
7.3.20+dfsg-4
fixed
trixie
7.3.19+dfsg-2
fixed
python3.11
bookworm
3.11.2-6+deb12u6
fixed
bookworm (security)
vulnerable
python3.13
bookworm
no-dsa
forky
3.13.11-1
fixed
sid
3.13.11-1
fixed
trixie
3.13.5-2
fixed
python3.9
bookworm
no-dsa
bullseye
vulnerable
bullseye (security)
3.9.2-1+deb11u3
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
python2.7
bionic
Fixed 2.7.17-1~18.04ubuntu1.13+esm5
released
focal
Fixed 2.7.18-1~20.04.4+esm2
released
jammy
Fixed 2.7.18-13ubuntu1.2+esm2
released
noble
dne
oracular
dne
plucky
dne
questing
dne
trusty
Fixed 2.7.6-8ubuntu0.6+esm20
released
xenial
Fixed 2.7.12-1ubuntu0~16.04.18+esm10
released
python3.4
focal
dne
jammy
dne
noble
dne
oracular
dne
plucky
dne
questing
dne
trusty
needs-triage
python3.5
focal
dne
jammy
dne
noble
dne
oracular
dne
plucky
dne
questing
dne
trusty
Fixed 3.5.2-2ubuntu0~16.04.4~14.04.1+esm3
released
xenial
Fixed 3.5.2-2ubuntu0~16.04.13+esm14
released
python3.6
bionic
needs-triage
focal
dne
jammy
dne
noble
dne
oracular
dne
plucky
dne
questing
dne
python3.7
bionic
needs-triage
focal
dne
jammy
dne
noble
dne
oracular
dne
plucky
dne
questing
dne
python3.8
bionic
needs-triage
focal
Fixed 3.8.10-0ubuntu1~20.04.12
released
jammy
dne
noble
dne
oracular
dne
plucky
dne
questing
dne
python3.9
focal
needs-triage
jammy
dne
noble
dne
oracular
dne
plucky
dne
questing
dne
python3.10
focal
dne
jammy
Fixed 3.10.12-1~22.04.6
released
noble
dne
oracular
dne
plucky
dne
questing
dne
python3.11
focal
dne
jammy
needs-triage
noble
dne
oracular
dne
plucky
dne
questing
dne
python3.12
focal
dne
jammy
dne
noble
Fixed 3.12.3-1ubuntu0.2
released
oracular
not-affected
plucky
dne
questing
dne
python3.13
focal
dne
jammy
dne
noble
dne
oracular
not-affected
plucky
not-affected
questing
not-affected
Common Weakness Enumeration
References
https://github.com/python/cpython/commit/391e5626e3ee5af267b97e37abc7475732e67621
https://github.com/python/cpython/commit/44e458357fca05ca0ae2658d62c8c595b048b5ef
https://github.com/python/cpython/commit/a77ab24427a18bff817025adb03ca920dc3f1a06
https://github.com/python/cpython/commit/b2f11ca7667e4d57c71c1c88b255115f16042d9a
https://github.com/python/cpython/commit/d4ac921a4b081f7f996a5d2b101684b67ba0ed7f
https://github.com/python/cpython/commit/d662e2db2605515a767f88ad48096b8ac623c774
https://github.com/python/cpython/commit/dcc3eaef98cd94d6cb6cb0f44bd1c903d04f33b1
https://github.com/python/cpython/issues/123067
https://github.com/python/cpython/pull/123075
https://mail.python.org/archives/list/security-announce@python.org/thread/HXJAAAALNUNGCQUS2W7WR6GFIZIHFOOK/
https://lists.debian.org/debian-lts-announce/2024/12/msg00000.html
https://security.netapp.com/advisory/ntap-20241018-0006/