CVE-2024-7592

HIGH EPSS 81.2%
Published Aug 19, 20241y ago · Modified Jun 17, 20261w ago
7.5 CVSS 3.1
High
Find Similar
Published Aug 19, 2024 1y ago
Last Modified Jun 17, 2026 1w ago

Description

There is a LOW severity vulnerability affecting CPython, specifically the 'http.cookies' standard library module. When parsing cookies that contained backslashes for quoted characters in the cookie value, the parser would use an algorithm with quadratic complexity, resulting in excess CPU resources being used while parsing the value.

CVSS Details

Base Score
7.5
Exploitability
3.9
Impact
3.6
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality None
Integrity None
Availability High

Threat Intelligence

EPSS Exploit Probability
81.2% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available

Weaknesses 2

CWE-1333
CWE-400 Uncontrolled Resource Consumption Resource Mgmt

Affected Products 17

VendorProductVersionRange
pythonpython* <3.8.20
pythonpython*≥3.9.0  –  <3.9.20
pythonpython*≥3.10.0  –  <3.10.15
pythonpython*≥3.11.0  –  <3.11.10
pythonpython*≥3.12.0  –  <3.12.6
pythonpython3.13.0any
pythonpython3.13.0any
pythonpython3.13.0any
pythonpython3.13.0any
pythonpython3.13.0any
pythonpython3.13.0any
pythonpython3.13.0any
pythonpython3.13.0any
pythonpython3.13.0any
pythonpython3.13.0any
pythonpython3.13.0any
pythonpython3.13.0any

References 12

  • github.com https://github.com/python/cpython/commit/391e5626e3ee5af267b97e37abc7475732e67621
    Patch
  • github.com https://github.com/python/cpython/commit/44e458357fca05ca0ae2658d62c8c595b048b5ef
    Patch
  • github.com https://github.com/python/cpython/commit/a77ab24427a18bff817025adb03ca920dc3f1a06
    Patch
  • github.com https://github.com/python/cpython/commit/b2f11ca7667e4d57c71c1c88b255115f16042d9a
    Patch
  • github.com https://github.com/python/cpython/commit/d4ac921a4b081f7f996a5d2b101684b67ba0ed7f
    Patch
  • github.com https://github.com/python/cpython/commit/d662e2db2605515a767f88ad48096b8ac623c774
    Patch
  • github.com https://github.com/python/cpython/commit/dcc3eaef98cd94d6cb6cb0f44bd1c903d04f33b1
    Patch
  • github.com https://github.com/python/cpython/issues/123067
    ExploitIssue TrackingPatch
  • github.com https://github.com/python/cpython/pull/123075
    Issue TrackingPatch
  • lists.debian.org https://lists.debian.org/debian-lts-announce/2024/12/msg00000.html
  • mail.python.org https://mail.python.org/archives/list/security-announce@python.org/thread/HXJAAAALNUNGCQUS2W7WR6GFIZIHFOOK/
    Mailing List
  • security.netapp.com https://security.netapp.com/advisory/ntap-20241018-0006/
    Third Party Advisory

Remediation

  • github.com https://github.com/python/cpython/commit/391e5626e3ee5af267b97e37abc7475732e67621
    Patch
  • github.com https://github.com/python/cpython/commit/44e458357fca05ca0ae2658d62c8c595b048b5ef
    Patch
  • github.com https://github.com/python/cpython/commit/a77ab24427a18bff817025adb03ca920dc3f1a06
    Patch
  • github.com https://github.com/python/cpython/commit/b2f11ca7667e4d57c71c1c88b255115f16042d9a
    Patch
  • github.com https://github.com/python/cpython/commit/d4ac921a4b081f7f996a5d2b101684b67ba0ed7f
    Patch
  • github.com https://github.com/python/cpython/commit/d662e2db2605515a767f88ad48096b8ac623c774
    Patch
  • github.com https://github.com/python/cpython/commit/dcc3eaef98cd94d6cb6cb0f44bd1c903d04f33b1
    Patch
  • github.com https://github.com/python/cpython/issues/123067
    ExploitIssue TrackingPatch
  • github.com https://github.com/python/cpython/pull/123075
    Issue TrackingPatch