CVE-2024-7592
Last modified
CVE-2024-7592 is a high-severity vulnerability rated 7.5/10 on the CVSS scale. There is a LOW severity vulnerability affecting CPython, specifically the 'http.cookies' standard library module. When parsing cookies that contained backslashes for quoted characters in the cookie value, the parser would use an algorithm with quadratic complexity, resulting in excess CPU resources being used while parsing the value.. EPSS estimates a 2.30% chance of exploitation in the next 30 days.
Description
There is a LOW severity vulnerability affecting CPython, specifically the 'http.cookies' standard library module. When parsing cookies that contained backslashes for quoted characters in the cookie value, the parser would use an algorithm with quadratic complexity, resulting in excess CPU resources being used while parsing the value.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Weakness Enumeration
Affected Software
| Vendor | Product | Versions | Update |
|---|---|---|---|
| Python | Python | < 3.8.20 | — |
| Python | Python | >= 3.9.0, < 3.9.20 | — |
| Python | Python | >= 3.10.0, < 3.10.15 | — |
| Python | Python | >= 3.11.0, < 3.11.10 | — |
| Python | Python | >= 3.12.0, < 3.12.6 | — |
| Python | Python | 3.13.0 | Alpha0 |
References
- https://github.com/python/cpython/issues/123067Exploit, Issue Tracking, Patch
- https://github.com/python/cpython/pull/123075Issue Tracking, Patch
- https://security.netapp.com/advisory/ntap-20241018-0006/Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2024-7592?
How severe is CVE-2024-7592?
How do I fix CVE-2024-7592?
Are you affected by CVE-2024-7592?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST