CVE-2022-45061

HIGH

Python < 3.7.15 - Denial of Service

Title source: rule
STIX 2.1

Description

An issue was discovered in Python before 3.11.1. An unnecessary quadratic algorithm exists in one path when processing some inputs to the IDNA (RFC 3490) decoder, such that a crafted, unreasonably long name being presented to the decoder could lead to a CPU denial of service. Hostnames are often supplied by remote servers that could be controlled by a malicious actor; in such a scenario, they could trigger excessive CPU consumption on the client attempting to make use of an attacker-supplied supposed hostname. For example, the attack payload could be placed in the Location header of an HTTP response with status code 302. A fix is planned in 3.11.1, 3.10.9, 3.9.16, 3.8.16, and 3.7.16.

References (36)

... and 16 more

Scores

CVSS v3 7.5
EPSS 0.0012
EPSS Percentile 31.1%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact partial

Details

CWE
CWE-407
Status published
Products (12)
fedoraproject/fedora 35
fedoraproject/fedora 36
fedoraproject/fedora 37
netapp/active_iq_unified_manager (2 CPE variants)
netapp/bootstrap_os
netapp/e-series_performance_analyzer
netapp/element_software
netapp/hci
netapp/management_services_for_element_software
netapp/ontap_select_deploy_administration_utility
... and 2 more
Published Nov 09, 2022
Tracked Since Feb 18, 2026