CVE-2022-45061

Exploit

EPSS 0.08%
Published 09.11.2022 07:15:09
Last modified 01.05.2025 15:15:58
Source cve@mitre.org
Teams watchlist Login
Open Login

An issue was discovered in Python before 3.11.1. An unnecessary quadratic algorithm exists in one path when processing some inputs to the IDNA (RFC 3490) decoder, such that a crafted, unreasonably long name being presented to the decoder could lead to a CPU denial of service. Hostnames are often supplied by remote servers that could be controlled by a malicious actor; in such a scenario, they could trigger excessive CPU consumption on the client attempting to make use of an attacker-supplied supposed hostname. For example, the attack payload could be placed in the Location header of an HTTP response with status code 302. A fix is planned in 3.11.1, 3.10.9, 3.9.16, 3.8.16, and 3.7.16.

Affected products Warnungen 0 Metrics 3 CWE 1 References 37

Data is provided by the National Vulnerability Database (NVD)

Python ≫ Python Version <= 3.7.15

Python ≫ Python Version >= 3.8.0 <= 3.8.15

Python ≫ Python Version >= 3.9.0 <= 3.9.15

Python ≫ Python Version >= 3.10.0 <= 3.10.8

Python ≫ Python Version3.11.0 Update-

Python ≫ Python Version3.11.0 Updatealpha1

Python ≫ Python Version3.11.0 Updatealpha2

Python ≫ Python Version3.11.0 Updatealpha3

Python ≫ Python Version3.11.0 Updatealpha4

Python ≫ Python Version3.11.0 Updatealpha5

Python ≫ Python Version3.11.0 Updatealpha6

Python ≫ Python Version3.11.0 Updatealpha7

Python ≫ Python Version3.11.0 Updatebeta1

Python ≫ Python Version3.11.0 Updatebeta2

Python ≫ Python Version3.11.0 Updatebeta3

Python ≫ Python Version3.11.0 Updatebeta4

Python ≫ Python Version3.11.0 Updatebeta5

Python ≫ Python Version3.11.0 Updaterc1

Python ≫ Python Version3.11.0 Updaterc2

Fedoraproject ≫ Fedora Version35

Fedoraproject ≫ Fedora Version36

Fedoraproject ≫ Fedora Version37

Netapp ≫ Active Iq Unified Manager Version- SwPlatformvmware_vsphere

Netapp ≫ Active Iq Unified Manager Version- SwPlatformwindows

Netapp ≫ E-series Performance Analyzer Version-

Netapp ≫ Element Software Version-

Netapp ≫ Hci Version-

Netapp ≫ Management Services For Element Software Version-

Netapp ≫ Ontap Select Deploy Administration Utility Version-

Netapp ≫ Bootstrap Os Version-

Netapp ≫ Hci Compute Node Version-

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.08%	0.25

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
134c704f-9b21-4f2e-91b3-4a467353bcc0	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-407 Inefficient Algorithmic Complexity

An algorithm in a product has an inefficient worst-case computational complexity that may be detrimental to system performance and can be triggered by an attacker, typically using crafted manipulations that ensure that the worst case is being reached.

https://lists.debian.org/debian-lts-announce/2023/05/msg00024.html

https://security.gentoo.org/glsa/202305-02

Third Party Advisory

https://lists.debian.org/debian-lts-announce/2023/06/msg00039.html

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QLUGZSEAO3MBWGKCUSMKQIRYJZKJCIOB/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RDK3ZZBRYFO47ET3N4BNTKVXN47U6ICY/

https://github.com/python/cpython/issues/98433

Patch

Third Party Advisory

Exploit

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2AOUKI72ACV6CHY2QUFO6VK2DNMVJ2MB/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/35YDIWCUMWTMDBWFRAVENFH6BLB65D6S/