CVE-2022-45061

 

Published at: - 09-11-2022 08:15

Last modified: - 14-01-2023 04:15

Total changes: - 13

Description

An issue was discovered in Python before 3.11.1. An unnecessary quadratic algorithm exists in one path when processing some inputs to the IDNA (RFC 3490) decoder, such that a crafted, unreasonably long name being presented to the decoder could lead to a CPU denial of service. Hostnames are often supplied by remote servers that could be controlled by a malicious actor; in such a scenario, they could trigger excessive CPU consumption on the client attempting to make use of an attacker-supplied supposed hostname. For example, the attack payload could be placed in the Location header of an HTTP response with status code 302. A fix is planned in 3.11.1, 3.10.9, 3.9.16, 3.8.16, and 3.7.16.

Common Vulnerability Scoring System (CVSS)

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

 

Verification logic

 

Reference

• https://github.com/python/cpython/issues/98433
• FEDORA-2022-45d2cfdfa4-Mailing List, Third Party Advisory
• FEDORA-2022-3e859b6bc6-Mailing List, Third Party Advisory
• FEDORA-2022-e1ce71ff40-
• FEDORA-2022-fdb2739feb-
• https://security.netapp.com/advisory/ntap-20221209-0007/
• FEDORA-2022-6f4e6120d7-
• FEDORA-2022-e6d0495206-
• FEDORA-2022-6d51289820-
• FEDORA-2022-93c6916349-
• FEDORA-2022-18b234c18b-
• FEDORA-2022-50deb53896-
• FEDORA-2022-de755fd092-
• FEDORA-2022-fd3771db30-
• FEDORA-2022-b2f06fbb62-
• FEDORA-2022-6b8b96f883-
• FEDORA-2022-3d7e44dbd5-
• FEDORA-2022-6ba889e0e3-
• FEDORA-2022-e699dd5247-
• FEDORA-2022-dbb811d203-
• FEDORA-2022-fbf6a320fe-
• FEDORA-2022-bcf089dd07-
• FEDORA-2023-a990c93ed0-
• FEDORA-2023-78b4ce2f23-
• FEDORA-2023-af5206f71d-
• FEDORA-2023-943556a733-
• FEDORA-2023-097dd40685-
• FEDORA-2023-f1381c83af-

 

Keywords

NVD

 

CVE-2022-45061

 

CVE

 

Common vulnerabilities & exposures

 

CVSS

 

Common vulnerability scoring system

 

Security

 

Vulnerabilities

 

Exposures