Fluid Attacks Database

Description

An issue was found in the CPython zipfile module affecting versions 3.12.1, 3.11.7, 3.10.13, 3.9.18, and 3.8.18 and prior. The zipfile module is vulnerable to “quoted-overlap” zip-bombs which exploit the zip format to create a zip-bomb with a high compression ratio. The fixed versions of CPython makes the zipfile module reject zip archives which overlap entries in the archive.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 12	python3.11	=3.11.2-6 \|\| =3.11.2-6+deb12u1 \|\| >=0 <3.11.2-6+deb12u2	3.11.2-6+deb12u2
alpine v3.16	python3	=3.1.3-r0 \|\| =3.10.0-r0 \|\| =3.10.0-r1 \|\| =3.10.1-r0 \|\| =3.10.10-r0 \|\| =3.10.11-r0 \|\| =3.10.12-r0 \|\| =3.10.13-r0 \|\| =3.10.2-r0 \|\| =3.10.2-r1 \|\| =3.10.3-r0 \|\| =3.10.3-r1 \|\| =3.10.4-r0 \|\| =3.10.5-r0 \|\| =3.10.8-r0 \|\| =3.10.9-r0 \|\| =3.2.0-r0 \|\| =3.2.3-r0 \|\| =3.3.0-r0 \|\| =3.3.2-r0 \|\| =3.3.3-r0 \|\| =3.3.4-r0 \|\| =3.4.1-r0 \|\| =3.4.2-r0 \|\| =3.4.2-r1 \|\| =3.4.3-r1 \|\| =3.4.3-r2 \|\| =3.5.0-r0 \|\| =3.5.1-r0 \|\| =3.5.1-r1 \|\| =3.5.1-r2 \|\| =3.5.1-r3 \|\| =3.5.2-r0 \|\| =3.5.2-r1 \|\| =3.5.2-r10 \|\| =3.5.2-r2 \|\| =3.5.2-r3 \|\| =3.5.2-r4 \|\| =3.5.2-r5 \|\| =3.5.2-r6 \|\| =3.5.2-r7 \|\| =3.5.2-r8 \|\| =3.5.2-r9 \|\| =3.6.0-r0 \|\| =3.6.1-r0 \|\| =3.6.1-r1 \|\| =3.6.1-r2 \|\| =3.6.1-r3 \|\| =3.6.1-r4 \|\| =3.6.2-r0 \|\| =3.6.2-r1 \|\| =3.6.2-r2 \|\| =3.6.2-r3 \|\| =3.6.3-r3 \|\| =3.6.3-r4 \|\| =3.6.3-r5 \|\| =3.6.3-r6 \|\| =3.6.3-r7 \|\| =3.6.3-r8 \|\| =3.6.3-r9 \|\| =3.6.4-r0 \|\| =3.6.4-r1 \|\| =3.6.6-r0 \|\| =3.6.6-r1 \|\| =3.6.6-r2 \|\| =3.6.6-r3 \|\| =3.6.7-r0 \|\| =3.6.8-r0 \|\| =3.6.8-r1 \|\| =3.6.8-r2 \|\| =3.7.2-r0 \|\| =3.7.3-r0 \|\| =3.7.3-r1 \|\| =3.7.4-r0 \|\| =3.7.5-r0 \|\| =3.7.5-r1 \|\| =3.8.0-r0 \|\| =3.8.1-r0 \|\| =3.8.1-r1 \|\| =3.8.1-r2 \|\| =3.8.1-r3 \|\| =3.8.2-r0 \|\| =3.8.2-r1 \|\| =3.8.2-r2 \|\| =3.8.2-r3 \|\| =3.8.2-r4 \|\| =3.8.2-r5 \|\| =3.8.2-r6 \|\| =3.8.2-r7 \|\| =3.8.3-r0 \|\| =3.8.4-r0 \|\| =3.8.5-r0 \|\| =3.8.5-r1 \|\| =3.8.5-r2 \|\| =3.8.6-r0 \|\| =3.8.7-r0 \|\| =3.8.7-r1 \|\| =3.8.7-r2 \|\| =3.8.7-r3 \|\| =3.8.8-r0 \|\| =3.9.1-r0 \|\| =3.9.2-r0 \|\| =3.9.4-r0 \|\| =3.9.5-r0 \|\| =3.9.5-r1 \|\| =3.9.6-r0 \|\| =3.9.6-r1 \|\| =3.9.6-r2 \|\| =3.9.7-r2 \|\| =3.9.7-r3 \|\| =3.9.7-r4 \|\| >=0 <3.10.14-r0	3.10.14-r0
alpine v3.17	python3	=3.1.3-r0 \|\| =3.10.0-r0 \|\| =3.10.0-r1 \|\| =3.10.1-r0 \|\| =3.10.10-r0 \|\| =3.10.11-r0 \|\| =3.10.12-r0 \|\| =3.10.13-r0 \|\| =3.10.2-r0 \|\| =3.10.2-r1 \|\| =3.10.3-r0 \|\| =3.10.3-r1 \|\| =3.10.4-r0 \|\| =3.10.5-r0 \|\| =3.10.5-r1 \|\| =3.10.5-r2 \|\| =3.10.6-r0 \|\| =3.10.6-r1 \|\| =3.10.7-r0 \|\| =3.10.8-r0 \|\| =3.10.8-r1 \|\| =3.10.8-r2 \|\| =3.10.8-r3 \|\| =3.10.9-r0 \|\| =3.10.9-r1 \|\| =3.2.0-r0 \|\| =3.2.3-r0 \|\| =3.3.0-r0 \|\| =3.3.2-r0 \|\| =3.3.3-r0 \|\| =3.3.4-r0 \|\| =3.4.1-r0 \|\| =3.4.2-r0 \|\| =3.4.2-r1 \|\| =3.4.3-r1 \|\| =3.4.3-r2 \|\| =3.5.0-r0 \|\| =3.5.1-r0 \|\| =3.5.1-r1 \|\| =3.5.1-r2 \|\| =3.5.1-r3 \|\| =3.5.2-r0 \|\| =3.5.2-r1 \|\| =3.5.2-r10 \|\| =3.5.2-r2 \|\| =3.5.2-r3 \|\| =3.5.2-r4 \|\| =3.5.2-r5 \|\| =3.5.2-r6 \|\| =3.5.2-r7 \|\| =3.5.2-r8 \|\| =3.5.2-r9 \|\| =3.6.0-r0 \|\| =3.6.1-r0 \|\| =3.6.1-r1 \|\| =3.6.1-r2 \|\| =3.6.1-r3 \|\| =3.6.1-r4 \|\| =3.6.2-r0 \|\| =3.6.2-r1 \|\| =3.6.2-r2 \|\| =3.6.2-r3 \|\| =3.6.3-r3 \|\| =3.6.3-r4 \|\| =3.6.3-r5 \|\| =3.6.3-r6 \|\| =3.6.3-r7 \|\| =3.6.3-r8 \|\| =3.6.3-r9 \|\| =3.6.4-r0 \|\| =3.6.4-r1 \|\| =3.6.6-r0 \|\| =3.6.6-r1 \|\| =3.6.6-r2 \|\| =3.6.6-r3 \|\| =3.6.7-r0 \|\| =3.6.8-r0 \|\| =3.6.8-r1 \|\| =3.6.8-r2 \|\| =3.7.2-r0 \|\| =3.7.3-r0 \|\| =3.7.3-r1 \|\| =3.7.4-r0 \|\| =3.7.5-r0 \|\| =3.7.5-r1 \|\| =3.8.0-r0 \|\| =3.8.1-r0 \|\| =3.8.1-r1 \|\| =3.8.1-r2 \|\| =3.8.1-r3 \|\| =3.8.2-r0 \|\| =3.8.2-r1 \|\| =3.8.2-r2 \|\| =3.8.2-r3 \|\| =3.8.2-r4 \|\| =3.8.2-r5 \|\| =3.8.2-r6 \|\| =3.8.2-r7 \|\| =3.8.3-r0 \|\| =3.8.4-r0 \|\| =3.8.5-r0 \|\| =3.8.5-r1 \|\| =3.8.5-r2 \|\| =3.8.6-r0 \|\| =3.8.7-r0 \|\| =3.8.7-r1 \|\| =3.8.7-r2 \|\| =3.8.7-r3 \|\| =3.8.8-r0 \|\| =3.9.1-r0 \|\| =3.9.2-r0 \|\| =3.9.4-r0 \|\| =3.9.5-r0 \|\| =3.9.5-r1 \|\| =3.9.6-r0 \|\| =3.9.6-r1 \|\| =3.9.6-r2 \|\| =3.9.7-r2 \|\| =3.9.7-r3 \|\| =3.9.7-r4 \|\| >=0 <3.10.14-r0	3.10.14-r0
debian 11	pypy3	=7.3.5+dfsg-2 \|\| =7.3.5+dfsg-2+deb11u1 \|\| =7.3.5+dfsg-2+deb11u2 \|\| >=0 <7.3.5+dfsg-2+deb11u3	7.3.5+dfsg-2+deb11u3
debian 12	pypy3	=7.3.11+dfsg-2 \|\| =7.3.11+dfsg-2+deb12u1 \|\| >=0 <7.3.11+dfsg-2+deb12u2	7.3.11+dfsg-2+deb12u2
debian 13	pypy3	>=0 <7.3.16+dfsg-1	7.3.16+dfsg-1
debian 14	pypy3	>=0 <7.3.16+dfsg-1	7.3.16+dfsg-1
debian 11	python2.7	=2.7.18-10 \|\| =2.7.18-11 \|\| =2.7.18-12 \|\| =2.7.18-13 \|\| =2.7.18-13.1 \|\| =2.7.18-13.1~exp1 \|\| =2.7.18-13.2 \|\| =2.7.18-8 \|\| =2.7.18-8+deb11u1 \|\| =2.7.18-9	-
debian 11	python3.9	=3.9.2-1 \|\| =3.9.2-1+deb11u1 \|\| >=0 <3.9.2-1+deb11u2	3.9.2-1+deb11u2
rpm rhel8	python3.11	<0:3.11.9-1.el8_10	0:3.11.9-1.el8_10

1-10 of 20

Aliases

1. CVE-2024-04502. NVD-2024-04503. OSV-DEBIAN-2024-04504. OSV-2024-04505. OSV-ALPINE-2024-04506. SECURITY-TRACKER-CVE-2024-04507. SECURITY-CVE-2024-0450

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.