Search for vulnerabilities
Vulnerability details: VCID-kxt9-wr47-aaaf
Vulnerability ID VCID-kxt9-wr47-aaaf
Aliases CVE-2024-0450
Summary An issue was found in the CPython `zipfile` module affecting versions 3.12.1, 3.11.7, 3.10.13, 3.9.18, and 3.8.18 and prior. The zipfile module is vulnerable to “quoted-overlap” zip-bombs which exploit the zip format to create a zip-bomb with a high compression ratio. The fixed versions of CPython makes the zipfile module reject zip archives which overlap entries in the archive.
Status Published
Exploitability 0.5
Weighted Severity 5.6
Risk 2.8
Affected and Fixed Packages Package Details
Weaknesses (2)
CWE-450 Multiple Interpretations of UI Input
CWE-405 Asymmetric Resource Consumption (Amplification)
System Score Found at
cvssv3 6.2 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-0450.json
epss 0.00046 https://api.first.org/data/v1/epss?cve=CVE-2024-0450
epss 0.00046 https://api.first.org/data/v1/epss?cve=CVE-2024-0450
epss 0.00046 https://api.first.org/data/v1/epss?cve=CVE-2024-0450
epss 0.00046 https://api.first.org/data/v1/epss?cve=CVE-2024-0450
epss 0.00046 https://api.first.org/data/v1/epss?cve=CVE-2024-0450
epss 0.00046 https://api.first.org/data/v1/epss?cve=CVE-2024-0450
epss 0.00046 https://api.first.org/data/v1/epss?cve=CVE-2024-0450
epss 0.00046 https://api.first.org/data/v1/epss?cve=CVE-2024-0450
epss 0.00046 https://api.first.org/data/v1/epss?cve=CVE-2024-0450
epss 0.00046 https://api.first.org/data/v1/epss?cve=CVE-2024-0450
epss 0.00046 https://api.first.org/data/v1/epss?cve=CVE-2024-0450
epss 0.00046 https://api.first.org/data/v1/epss?cve=CVE-2024-0450
epss 0.00046 https://api.first.org/data/v1/epss?cve=CVE-2024-0450
epss 0.00046 https://api.first.org/data/v1/epss?cve=CVE-2024-0450
epss 0.00046 https://api.first.org/data/v1/epss?cve=CVE-2024-0450
epss 0.00046 https://api.first.org/data/v1/epss?cve=CVE-2024-0450
epss 0.00149 https://api.first.org/data/v1/epss?cve=CVE-2024-0450
epss 0.00149 https://api.first.org/data/v1/epss?cve=CVE-2024-0450
epss 0.00149 https://api.first.org/data/v1/epss?cve=CVE-2024-0450
epss 0.00149 https://api.first.org/data/v1/epss?cve=CVE-2024-0450
epss 0.00149 https://api.first.org/data/v1/epss?cve=CVE-2024-0450
epss 0.00149 https://api.first.org/data/v1/epss?cve=CVE-2024-0450
epss 0.00149 https://api.first.org/data/v1/epss?cve=CVE-2024-0450
epss 0.00149 https://api.first.org/data/v1/epss?cve=CVE-2024-0450
epss 0.00149 https://api.first.org/data/v1/epss?cve=CVE-2024-0450
epss 0.00149 https://api.first.org/data/v1/epss?cve=CVE-2024-0450
epss 0.00149 https://api.first.org/data/v1/epss?cve=CVE-2024-0450
epss 0.00149 https://api.first.org/data/v1/epss?cve=CVE-2024-0450
epss 0.00149 https://api.first.org/data/v1/epss?cve=CVE-2024-0450
epss 0.00149 https://api.first.org/data/v1/epss?cve=CVE-2024-0450
epss 0.00149 https://api.first.org/data/v1/epss?cve=CVE-2024-0450
epss 0.00149 https://api.first.org/data/v1/epss?cve=CVE-2024-0450
epss 0.00149 https://api.first.org/data/v1/epss?cve=CVE-2024-0450
epss 0.00149 https://api.first.org/data/v1/epss?cve=CVE-2024-0450
epss 0.00149 https://api.first.org/data/v1/epss?cve=CVE-2024-0450
epss 0.00149 https://api.first.org/data/v1/epss?cve=CVE-2024-0450
epss 0.00149 https://api.first.org/data/v1/epss?cve=CVE-2024-0450
epss 0.00149 https://api.first.org/data/v1/epss?cve=CVE-2024-0450
epss 0.00149 https://api.first.org/data/v1/epss?cve=CVE-2024-0450
epss 0.00149 https://api.first.org/data/v1/epss?cve=CVE-2024-0450
epss 0.00163 https://api.first.org/data/v1/epss?cve=CVE-2024-0450
epss 0.00173 https://api.first.org/data/v1/epss?cve=CVE-2024-0450
epss 0.00173 https://api.first.org/data/v1/epss?cve=CVE-2024-0450
epss 0.00173 https://api.first.org/data/v1/epss?cve=CVE-2024-0450
epss 0.00173 https://api.first.org/data/v1/epss?cve=CVE-2024-0450
epss 0.00173 https://api.first.org/data/v1/epss?cve=CVE-2024-0450
epss 0.00173 https://api.first.org/data/v1/epss?cve=CVE-2024-0450
epss 0.00173 https://api.first.org/data/v1/epss?cve=CVE-2024-0450
epss 0.00173 https://api.first.org/data/v1/epss?cve=CVE-2024-0450
epss 0.00173 https://api.first.org/data/v1/epss?cve=CVE-2024-0450
epss 0.00173 https://api.first.org/data/v1/epss?cve=CVE-2024-0450
epss 0.00173 https://api.first.org/data/v1/epss?cve=CVE-2024-0450
epss 0.00173 https://api.first.org/data/v1/epss?cve=CVE-2024-0450
epss 0.00173 https://api.first.org/data/v1/epss?cve=CVE-2024-0450
epss 0.00173 https://api.first.org/data/v1/epss?cve=CVE-2024-0450
epss 0.00173 https://api.first.org/data/v1/epss?cve=CVE-2024-0450
epss 0.00173 https://api.first.org/data/v1/epss?cve=CVE-2024-0450
epss 0.00173 https://api.first.org/data/v1/epss?cve=CVE-2024-0450
epss 0.00173 https://api.first.org/data/v1/epss?cve=CVE-2024-0450
epss 0.00173 https://api.first.org/data/v1/epss?cve=CVE-2024-0450
epss 0.00173 https://api.first.org/data/v1/epss?cve=CVE-2024-0450
epss 0.00173 https://api.first.org/data/v1/epss?cve=CVE-2024-0450
epss 0.00173 https://api.first.org/data/v1/epss?cve=CVE-2024-0450
epss 0.00173 https://api.first.org/data/v1/epss?cve=CVE-2024-0450
epss 0.00173 https://api.first.org/data/v1/epss?cve=CVE-2024-0450
epss 0.00173 https://api.first.org/data/v1/epss?cve=CVE-2024-0450
epss 0.00173 https://api.first.org/data/v1/epss?cve=CVE-2024-0450
epss 0.00173 https://api.first.org/data/v1/epss?cve=CVE-2024-0450
epss 0.00173 https://api.first.org/data/v1/epss?cve=CVE-2024-0450
epss 0.00173 https://api.first.org/data/v1/epss?cve=CVE-2024-0450
epss 0.00173 https://api.first.org/data/v1/epss?cve=CVE-2024-0450
epss 0.00173 https://api.first.org/data/v1/epss?cve=CVE-2024-0450
epss 0.00173 https://api.first.org/data/v1/epss?cve=CVE-2024-0450
epss 0.00173 https://api.first.org/data/v1/epss?cve=CVE-2024-0450
epss 0.00173 https://api.first.org/data/v1/epss?cve=CVE-2024-0450
epss 0.00173 https://api.first.org/data/v1/epss?cve=CVE-2024-0450
epss 0.00177 https://api.first.org/data/v1/epss?cve=CVE-2024-0450
epss 0.00177 https://api.first.org/data/v1/epss?cve=CVE-2024-0450
epss 0.00177 https://api.first.org/data/v1/epss?cve=CVE-2024-0450
epss 0.00177 https://api.first.org/data/v1/epss?cve=CVE-2024-0450
cvssv3.1 6.2 https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
generic_textual Low https://www.bamsoftware.com/hacks/zipbomb/
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-0450.json
https://api.first.org/data/v1/epss?cve=CVE-2024-0450
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-0450
https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
https://github.com/python/cpython/commit/30fe5d853b56138dbec62432d370a1f99409fc85
https://github.com/python/cpython/commit/66363b9a7b9fe7c99eba3a185b74c5fdbf842eba
https://github.com/python/cpython/commit/70497218351ba44bffc8b571201ecb5652d84675
https://github.com/python/cpython/commit/a2c59992e9e8d35baba9695eb186ad6c6ff85c51
https://github.com/python/cpython/commit/a956e510f6336d5ae111ba429a61c3ade30a7549
https://github.com/python/cpython/commit/d05bac0b74153beb541b88b4fca33bf053990183
https://github.com/python/cpython/commit/fa181fcf2156f703347b03a3b1966ce47be8ab3b
https://github.com/python/cpython/issues/109858
https://lists.debian.org/debian-lts-announce/2024/03/msg00024.html
https://lists.debian.org/debian-lts-announce/2024/03/msg00025.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T3IGRX54M7RNCQOXVQO5KQKTGWCOABIM/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U5VHWS52HGD743C47UMCSAK2A773M2YE/
https://mail.python.org/archives/list/security-announce@python.org/thread/XELNUX2L3IOHBTFU7RQHCY6OUVEWZ2FG/
https://security.netapp.com/advisory/ntap-20250411-0005/
https://www.bamsoftware.com/hacks/zipbomb/
http://www.openwall.com/lists/oss-security/2024/03/20/5
1070133 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1070133
2276525 https://bugzilla.redhat.com/show_bug.cgi?id=2276525
CVE-2024-0450 https://nvd.nist.gov/vuln/detail/CVE-2024-0450
GLSA-202405-01 https://security.gentoo.org/glsa/202405-01
RHSA-2024:3347 https://access.redhat.com/errata/RHSA-2024:3347
RHSA-2024:3391 https://access.redhat.com/errata/RHSA-2024:3391
RHSA-2024:3466 https://access.redhat.com/errata/RHSA-2024:3466
RHSA-2024:4058 https://access.redhat.com/errata/RHSA-2024:4058
RHSA-2024:4078 https://access.redhat.com/errata/RHSA-2024:4078
RHSA-2024:4243 https://access.redhat.com/errata/RHSA-2024:4243
RHSA-2024:4406 https://access.redhat.com/errata/RHSA-2024:4406
RHSA-2024:9190 https://access.redhat.com/errata/RHSA-2024:9190
RHSA-2024:9192 https://access.redhat.com/errata/RHSA-2024:9192
USN-6891-1 https://usn.ubuntu.com/6891-1/
USN-7212-1 https://usn.ubuntu.com/7212-1/
No exploits are available.
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-0450.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.18115
EPSS Score 0.00046
Published At Nov. 1, 2024, midnight
Date Actor Action Source VulnerableCode Version
2024-04-23T17:17:55.992492+00:00 NVD Importer Import https://nvd.nist.gov/vuln/detail/CVE-2024-0450 34.0.0rc4