CVE-2024-7592

There is a LOW severity vulnerability affecting CPython, specifically the
'http.cookies' standard library module.


When parsing cookies that contained backslashes for quoted characters in
the cookie value, the parser would use an algorithm with quadratic
complexity, resulting in excess CPU resources being used while parsing the
value.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
PSFCNA
---
---
CISA-ADPADP
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 48%
VendorProductVersion
pythonpython
𝑥
< 3.8.20
pythonpython
3.9.0 ≤
𝑥
< 3.9.20
pythonpython
3.10.0 ≤
𝑥
< 3.10.15
pythonpython
3.11.0 ≤
𝑥
< 3.11.10
pythonpython
3.12.0 ≤
𝑥
< 3.12.6
pythonpython
3.13.0:alpha0
pythonpython
3.13.0:alpha1
pythonpython
3.13.0:alpha2
pythonpython
3.13.0:alpha3
pythonpython
3.13.0:alpha4
pythonpython
3.13.0:alpha5
pythonpython
3.13.0:alpha6
pythonpython
3.13.0:beta1
pythonpython
3.13.0:beta2
pythonpython
3.13.0:beta3
pythonpython
3.13.0:beta4
pythonpython
3.13.0:rc1
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
python3.11
bookworm
3.11.2-6+deb12u6
fixed
bookworm (security)
vulnerable
python3.12
sid
3.12.10-1
fixed
python3.13
trixie
3.13.3-2
fixed
sid
3.13.3-4
fixed
python3.9
bullseye
vulnerable
bullseye (security)
3.9.2-1+deb11u3
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
python2.7
plucky
dne
oracular
dne
noble
dne
jammy
Fixed 2.7.18-13ubuntu1.2+esm2
released
focal
Fixed 2.7.18-1~20.04.4+esm2
released
bionic
Fixed 2.7.17-1~18.04ubuntu1.13+esm5
released
xenial
Fixed 2.7.12-1ubuntu0~16.04.18+esm10
released
trusty
Fixed 2.7.6-8ubuntu0.6+esm20
released
python3.10
plucky
dne
oracular
dne
noble
dne
jammy
Fixed 3.10.12-1~22.04.6
released
focal
dne
python3.11
plucky
dne
oracular
dne
noble
dne
jammy
needs-triage
focal
dne
python3.12
plucky
dne
oracular
not-affected
noble
Fixed 3.12.3-1ubuntu0.2
released
jammy
dne
focal
dne
python3.13
plucky
not-affected
oracular
not-affected
noble
dne
jammy
dne
focal
dne
python3.4
plucky
dne
oracular
dne
noble
dne
jammy
dne
focal
dne
trusty
needs-triage
python3.5
plucky
dne
oracular
dne
noble
dne
jammy
dne
focal
dne
xenial
Fixed 3.5.2-2ubuntu0~16.04.13+esm14
released
trusty
Fixed 3.5.2-2ubuntu0~16.04.4~14.04.1+esm3
released
python3.6
plucky
dne
oracular
dne
noble
dne
jammy
dne
focal
dne
bionic
needs-triage
python3.7
plucky
dne
oracular
dne
noble
dne
jammy
dne
focal
dne
bionic
needs-triage
python3.8
plucky
dne
oracular
dne
noble
dne
jammy
dne
focal
Fixed 3.8.10-0ubuntu1~20.04.12
released
bionic
needs-triage
python3.9
plucky
dne
oracular
dne
noble
dne
jammy
dne
focal
needs-triage
Common Weakness Enumeration
References
https://github.com/python/cpython/commit/391e5626e3ee5af267b97e37abc7475732e67621
https://github.com/python/cpython/commit/44e458357fca05ca0ae2658d62c8c595b048b5ef
https://github.com/python/cpython/commit/a77ab24427a18bff817025adb03ca920dc3f1a06
https://github.com/python/cpython/commit/b2f11ca7667e4d57c71c1c88b255115f16042d9a
https://github.com/python/cpython/commit/d4ac921a4b081f7f996a5d2b101684b67ba0ed7f
https://github.com/python/cpython/commit/d662e2db2605515a767f88ad48096b8ac623c774
https://github.com/python/cpython/commit/dcc3eaef98cd94d6cb6cb0f44bd1c903d04f33b1
https://github.com/python/cpython/issues/123067
https://github.com/python/cpython/pull/123075
https://mail.python.org/archives/list/security-announce@python.org/thread/HXJAAAALNUNGCQUS2W7WR6GFIZIHFOOK/
https://security.netapp.com/advisory/ntap-20241018-0006/