Inefficient Regular Expression Complexity

CVE-2024-6232

High

7.5/10

Summary

There is a medium-severity vulnerability affecting CPython. Regular expressions that allowed excessive backtracking during tarfile.TarFile header parsing is vulnerable to Regular Expression Denial of Service (ReDoS) via specifically crafted tar archives. This issue affects versions 2.3c1 through 3.8.19, 3.9.0a1 through 3.9.19, 3.10.0a1 through 3.10.14, 3.11.0a1 through 3.11.9, and v3.12.0a1 through 3.12.5, and 3.13.0a1 through 3.13.0rc1.

Attack Complexity: LOW
Attack Vector: NETWORK
Integrity Impact: NONE
Scope: UNCHANGED
User Interaction: NONE
Privileges Required: NONE
Confidentiality Impact: NONE
Availability Impact: HIGH

CWE-1333 - Inefficient Regular Expression Complexity

The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles.

References

Advisory
Pull request
Issue
Mail Thread
Issue
Release Note

Advisory Timeline

Published Sep 03, 2024

Inefficient Regular Expression Complexity

CVE-2024-6232

Summary

CWE-1333 - Inefficient Regular Expression Complexity

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS