CVE-2019-9674

Published: Feb 4, 2020Modified: Dec 31, 2025

7.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Exploitability: 3.9 / Impact: 3.6

Source: NVD

Description

Lib/zipfile.py in Python through 3.7.2 allows remote attackers to cause a denial of service (resource consumption) via a ZIP bomb.

Affected (7)

Products: Python: Python · Canonical: Ubuntu Linux · Netapp: Active Iq Unified Manager

1 product

1 product

1 product

Active Iq Unified Manager

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Python Python	From 3.2 to 3.8

Configuration B

5 vulnerable

Vulnerable Software	Affected Versions
Canonical Ubuntu Linux	Version 12.04
Canonical Ubuntu Linux	Version 14.04
Canonical Ubuntu Linux	Version 16.04
Canonical Ubuntu Linux	Version 18.04
Canonical Ubuntu Linux	Version 20.04

Configuration C

1 vulnerable

Vulnerable Software	Affected Versions
Netapp Active Iq Unified Manager	All versions

Related CWEs

Uncontrolled Resource Consumption

The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

References (18)

http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00003.html

Source: cve@mitre.org

Broken Link

http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00041.html

Source: cve@mitre.org

Broken Link

https://bugs.python.org/issue36260

Source: cve@mitre.org

Issue TrackingVendor Advisory

https://bugs.python.org/issue36462

Source: cve@mitre.org

Issue TrackingVendor Advisory

https://github.com/python/cpython/blob/master/Lib/zipfile.py

Source: cve@mitre.org

Third Party Advisory

https://python-security.readthedocs.io/security.html#archives-and-zip-bomb

Source: cve@mitre.org

Vendor Advisory

https://security.netapp.com/advisory/ntap-20200221-0003/

Source: cve@mitre.org

Third Party Advisory

https://usn.ubuntu.com/4428-1/

Source: cve@mitre.org

Third Party Advisory

https://www.python.org/news/security/

Source: cve@mitre.org

Vendor Advisory

http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00003.html

Source: af854a3a-2127-422b-91ae-364da2661108

Broken Link

http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00041.html

Source: af854a3a-2127-422b-91ae-364da2661108

Broken Link

https://bugs.python.org/issue36260

Source: af854a3a-2127-422b-91ae-364da2661108

Issue TrackingVendor Advisory

https://bugs.python.org/issue36462

Source: af854a3a-2127-422b-91ae-364da2661108

Issue TrackingVendor Advisory

https://github.com/python/cpython/blob/master/Lib/zipfile.py

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://python-security.readthedocs.io/security.html#archives-and-zip-bomb

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

https://security.netapp.com/advisory/ntap-20200221-0003/

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://usn.ubuntu.com/4428-1/

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://www.python.org/news/security/

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.