CVE-2024-7592

HIGH

CPython - Info Disclosure

Title source: llm

Description

There is a LOW severity vulnerability affecting CPython, specifically the 'http.cookies' standard library module. When parsing cookies that contained backslashes for quoted characters in the cookie value, the parser would use an algorithm with quadratic complexity, resulting in excess CPU resources being used while parsing the value.

References (12)

[Mailing List] https://lists.debian.org/debian-lts-announce/2024/12/msg00000.html

[Third Party Advisory] https://security.netapp.com/advisory/ntap-20241018-0006/

[Issue Tracking, Patch] https://github.com/python/cpython/pull/123075

[Exploit, Issue Tracking, Patch] https://github.com/python/cpython/issues/123067

[Mailing List] https://mail.python.org/archives/list/[email protected]/thread/HXJAAAALNUNGCQUS2W7WR6GFIZIHFOOK/

[Patch] https://github.com/python/cpython/commit/391e5626e3ee5af267b97e37abc7475732e67621

View Patch ZIP pw:eip

[Patch] https://github.com/python/cpython/commit/dcc3eaef98cd94d6cb6cb0f44bd1c903d04f33b1

[Patch] https://github.com/python/cpython/commit/a77ab24427a18bff817025adb03ca920dc3f1a06

[Patch] https://github.com/python/cpython/commit/b2f11ca7667e4d57c71c1c88b255115f16042d9a

[Patch] https://github.com/python/cpython/commit/d4ac921a4b081f7f996a5d2b101684b67ba0ed7f

[Patch] https://github.com/python/cpython/commit/d662e2db2605515a767f88ad48096b8ac623c774

[Patch] https://github.com/python/cpython/commit/44e458357fca05ca0ae2658d62c8c595b048b5ef

Scores

CVSS v3 7.5

EPSS 0.0080

EPSS Percentile 74.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-1333 CWE-400

Status published

Products (2)

python/python 3.13.0 alpha0 (12 CPE variants)

python/python < 3.8.20

Published Aug 19, 2024

Tracked Since Feb 18, 2026