jaraco/zipp: Denial of Service (DoS) (CVE-2024-5569) #shorts #breaking

CVE

This CVE relates to a Denial of Service vulnerability discovered in the jaraco/zipp library, impacting all versions prior to 3.19.1. This issue also affects the zipfile module in CPython. When a specially crafted zip file is processed, it can trigger an infinite loop in the `Path` module functions, such as `joinpath`, the overloaded division operator, and `iterdir`. This loop hampers the application’s responsiveness, leading to a Denial of Service. Despite the loop not being resource exhaustive, it renders the application unresponsive. This vulnerability has been known for 3 months but is not classified as a zero-day exploit.

Watch the full video on YouTube: CVE-2024-5569

Remediation and exploitation details

This chain involves the following actors

This following systems are involved

Attack entry point

Remediation actions

Exploitation actions

Related Content

NOTE: The following related content has not been vetted and may be unsafe.

CVE database technical details

CVE ID
CVE-2024-5569
Description
A Denial of Service (DoS) vulnerability exists in the jaraco/zipp library, affecting all versions prior to 3.19.1. The vulnerability is triggered when processing a specially crafted zip file that leads to an infinite loop. This issue also impacts the zipfile module of CPython, as features from the third-party zipp library are later merged into CPython, and the affected code is identical in both projects. The infinite loop can be initiated through the use of functions affecting the `Path` module in both zipp and zipfile, such as `joinpath`, the overloaded division operator, and `iterdir`. Although the infinite loop is not resource exhaustive, it prevents the application from responding. The vulnerability was addressed in version 3.19.1 of jaraco/zipp.
Provider
@huntr_ai
CWE / problem types
CWE-400 Uncontrolled Resource Consumption
Affected Software Versions
jaraco:jaraco/zipp:[{'version': 'unspecified', 'lessThan': '3.19.1', 'status': 'affected', 'versionType': 'custom'}]
Date Published
2024-07-09T00:00:14.522Z
Last Updated
2024-08-01T21:18:06.310Z