Sightline

Medium

zipp

Denial of Service via Crafted Zip File

A denial of service vulnerability was discovered in all versions of the zipp and CPython's zipfile modules, leading to an infinite loop when processing a specially crafted zip file. This issue was patched in version 3.19.1.

Available publicly on Jul 09 2024 | Available with Premium on May 31 2024

CVE:

CVE-2024-5569

CWE:

400:Uncontrolled Resource Consumption

CVSS:

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Credit:

0xcrypto

Assess Detect

Unavailable

Remediate

Remediation Steps

Update to zipp version 3.19.1 or later.
Ensure that any application using the CPython zipfile module is updated to a version that includes the fix.
Validate and sanitize zip file inputs to avoid processing potentially malicious files.
Monitor and limit the resources allocated to processing zip files to mitigate the impact of potential infinite loops.

Patch Details

Fixed Version: 3.19.1
Patch Commit: https://github.com/jaraco/zipp/commit/fd604bd34f0343472521a36da1fbd22e793e14fd

Want more out of Sightline?

Sightline offers even more for premium customers

Go Premium

We have 433- related security advisories that are available with Sightline Premium.