CVE-2024-7592

HIGH

CPython - Info Disclosure

Title source: llm

Description

There is a LOW severity vulnerability affecting CPython, specifically the 'http.cookies' standard library module. When parsing cookies that contained backslashes for quoted characters in the cookie value, the parser would use an algorithm with quadratic complexity, resulting in excess CPU resources being used while parsing the value.

References (12)

[Patch] https://github.com/python/cpython/commit/391e5626e3ee5af267b97e37abc7475732e67621

View Patch ZIP pw:eip

[Patch] https://github.com/python/cpython/commit/44e458357fca05ca0ae2658d62c8c595b048b5ef

[Patch] https://github.com/python/cpython/commit/a77ab24427a18bff817025adb03ca920dc3f1a06

[Patch] https://github.com/python/cpython/commit/b2f11ca7667e4d57c71c1c88b255115f16042d9a

[Patch] https://github.com/python/cpython/commit/d4ac921a4b081f7f996a5d2b101684b67ba0ed7f

[Patch] https://github.com/python/cpython/commit/d662e2db2605515a767f88ad48096b8ac623c774

[Patch] https://github.com/python/cpython/commit/dcc3eaef98cd94d6cb6cb0f44bd1c903d04f33b1

[Exploit, Issue Tracking, Patch] https://github.com/python/cpython/issues/123067

[Issue Tracking, Patch] https://github.com/python/cpython/pull/123075

[Mailing List] https://mail.python.org/archives/list/[email protected]/thread/HXJAAAALNUNGCQUS2W7WR6GFIZIHFOOK/

[Mailing List] https://lists.debian.org/debian-lts-announce/2024/12/msg00000.html

[Third Party Advisory] https://security.netapp.com/advisory/ntap-20241018-0006/

Scores

CVSS v3 7.5

EPSS 0.0080

EPSS Percentile 73.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Classification

CWE

CWE-1333 CWE-400

Status published

Affected Products (13)

python/python < 3.8.20

python/python

python/python

python/python

python/python

python/python

python/python

python/python

python/python

python/python

python/python

python/python

python/python

Timeline

Published Aug 19, 2024

Tracked Since Feb 18, 2026