CVE-2024-7592 - Vulnerability Details

There is a LOW severity vulnerability affecting CPython, specifically the 'http.cookies' standard library module. When parsing cookies that contained backslashes for quoted characters in the cookie value, the parser would use an algorithm with quadratic complexity, resulting in excess CPU resources being used while parsing the value.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation poc

Automatable yes

Technical Impact partial

Vendors	Products
Python	Cpython Python
Redhat	Enterprise Linux

Configuration 1 [-]

OR	cpe:2.3:a:python:python::::::::
	cpe:2.3:a:python:python::::::::
	cpe:2.3:a:python:python::::::::
	cpe:2.3:a:python:python::::::::
	cpe:2.3:a:python:python::::::::
	cpe:2.3:a:python:python:3.13.0:alpha0::::::
	cpe:2.3:a:python:python:3.13.0:alpha1::::::
	cpe:2.3:a:python:python:3.13.0:alpha2::::::
	cpe:2.3:a:python:python:3.13.0:alpha3::::::
	cpe:2.3:a:python:python:3.13.0:alpha4::::::
	cpe:2.3:a:python:python:3.13.0:alpha5::::::
	cpe:2.3:a:python:python:3.13.0:alpha6::::::
	cpe:2.3:a:python:python:3.13.0:beta1::::::
	cpe:2.3:a:python:python:3.13.0:beta2::::::
	cpe:2.3:a:python:python:3.13.0:beta3::::::
	cpe:2.3:a:python:python:3.13.0:beta4::::::
	cpe:2.3:a:python:python:3.13.0:rc1::::::

Package	CPE	Advisory	Released Date
Red Hat Enterprise Linux 9
python3.12-0:3.12.5-2.el9_5.3	cpe:/a:redhat:enterprise_linux:9	RHSA-2025:3631	2025-04-07T00:00:00Z
python3.11-0:3.11.9-7.el9_5.3	cpe:/a:redhat:enterprise_linux:9	RHSA-2025:3634	2025-04-07T00:00:00Z

References

Link	Providers
https://github.com/python/cpython/commit/391e5626e3ee5af267b97e37abc7475732e67621
https://github.com/python/cpython/commit/44e458357fca05ca0ae2658d62c8c595b048b5ef
https://github.com/python/cpython/commit/a77ab24427a18bff817025adb03ca920dc3f1a06
https://github.com/python/cpython/commit/b2f11ca7667e4d57c71c1c88b255115f16042d9a
https://github.com/python/cpython/commit/d4ac921a4b081f7f996a5d2b101684b67ba0ed7f
https://github.com/python/cpython/commit/d662e2db2605515a767f88ad48096b8ac623c774
https://github.com/python/cpython/commit/dcc3eaef98cd94d6cb6cb0f44bd1c903d04f33b1
https://github.com/python/cpython/issues/123067
https://github.com/python/cpython/pull/123075
https://mail.python.org/archives/list/security-announce@python.org/thread/HXJAAAALNUNGCQUS2W7WR6GFIZIHFOOK/
https://nvd.nist.gov/vuln/detail/CVE-2024-7592
https://security.netapp.com/advisory/ntap-20241018-0006/
https://www.cve.org/CVERecord?id=CVE-2024-7592

History

Tue, 08 Apr 2025 02:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Redhat Redhat enterprise Linux
CPEs		cpe:/a:redhat:enterprise_linux:9
Vendors & Products		Redhat Redhat enterprise Linux

Fri, 31 Jan 2025 20:15:00 +0000

Type	Values Removed	Values Added
References		https://github.com/python/cpython/commit/44e458357fca05ca0ae2658d62c8c595b048b5ef

Fri, 22 Nov 2024 12:00:00 +0000

Type	Values Removed	Values Added
References		https://security.netapp.com/advisory/ntap-20241018-0006/

Wed, 04 Sep 2024 20:30:00 +0000

Type	Values Removed	Values Added
References		https://github.com/python/cpython/commit/a77ab24427a18bff817025adb03ca920dc3f1a06 https://github.com/python/cpython/commit/b2f11ca7667e4d57c71c1c88b255115f16042d9a https://github.com/python/cpython/commit/d4ac921a4b081f7f996a5d2b101684b67ba0ed7f https://github.com/python/cpython/commit/d662e2db2605515a767f88ad48096b8ac623c774

Tue, 03 Sep 2024 18:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Python cpython
CPEs		cpe:2.3:a:python:cpython::::::::
Vendors & Products		Python cpython
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 03 Sep 2024 15:15:00 +0000

Type	Values Removed	Values Added
References		https://github.com/python/cpython/commit/391e5626e3ee5af267b97e37abc7475732e67621 https://github.com/python/cpython/commit/dcc3eaef98cd94d6cb6cb0f44bd1c903d04f33b1

Tue, 20 Aug 2024 21:30:00 +0000

Type	Values Removed	Values Added
References		https://nvd.nist.gov/vuln/detail/CVE-2024-7592 https://www.cve.org/CVERecord?id=CVE-2024-7592
Metrics	threat_severity `None`	threat_severity `Low`

Tue, 20 Aug 2024 16:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Python Python python
Weaknesses		CWE-1333
CPEs		cpe:2.3:a:python:python:::::::: cpe:2.3:a:python:python:3.13.0:alpha0:::::: cpe:2.3:a:python:python:3.13.0:alpha1:::::: cpe:2.3:a:python:python:3.13.0:alpha2:::::: cpe:2.3:a:python:python:3.13.0:alpha3:::::: cpe:2.3:a:python:python:3.13.0:alpha4:::::: cpe:2.3:a:python:python:3.13.0:alpha5:::::: cpe:2.3:a:python:python:3.13.0:alpha6:::::: cpe:2.3:a:python:python:3.13.0:beta1:::::: cpe:2.3:a:python:python:3.13.0:beta2:::::: cpe:2.3:a:python:python:3.13.0:beta3:::::: cpe:2.3:a:python:python:3.13.0:beta4:::::: cpe:2.3:a:python:python:3.13.0:rc1::::::
Vendors & Products		Python Python python
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}`

Mon, 19 Aug 2024 19:15:00 +0000

Type	Values Removed	Values Added
Description		There is a LOW severity vulnerability affecting CPython, specifically the 'http.cookies' standard library module. When parsing cookies that contained backslashes for quoted characters in the cookie value, the parser would use an algorithm with quadratic complexity, resulting in excess CPU resources being used while parsing the value.
Title		Quadratic complexity parsing cookies with backslashes
Weaknesses		CWE-400
References		https://github.com/python/cpython/issues/123067 https://github.com/python/cpython/pull/123075 https://mail.python.org/archives/list/security-announce@python.org/thread/HXJAAAALNUNGCQUS2W7WR6GFIZIHFOOK/

MITRE

Status: PUBLISHED

Assigner: PSF

Published: 2024-08-19T19:06:45.311Z

Updated: 2025-01-31T19:55:12.119Z

Reserved: 2024-08-07T15:53:07.135Z

Link: CVE-2024-7592

Vulnrichment

Updated: 2024-10-18T13:07:47.143Z

NVD

Status : Analyzed

Published: 2024-08-19T19:15:08.180

Modified: 2025-02-05T21:13:47.837

Link: CVE-2024-7592

Redhat

Severity : Low

Publid Date: 2024-08-19T00:00:00Z

Links: CVE-2024-7592 - Bugzilla

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-7592", "assignerOrgId": "28c92f92-d60d-412d-b760-e73465c3df22", "state": "PUBLISHED", "assignerShortName": "PSF", "dateReserved": "2024-08-07T15:53:07.135Z", "datePublished": "2024-08-19T19:06:45.311Z", "dateUpdated": "2025-01-31T19:55:12.119Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "CPython", "repo": "https://github.com/python/cpython", "vendor": "Python Software Foundation", "versions": [{"version": "0", "lessThan": "3.8.20", "status": "affected", "versionType": "python"}, {"version": "3.9.0", "lessThan": "3.9.20", "status": "affected", "versionType": "python"}, {"version": "3.10.0", "lessThan": "3.10.15", "status": "affected", "versionType": "python"}, {"version": "3.11.0", "lessThan": "3.11.10", "status": "affected", "versionType": "python"}, {"version": "3.12.0", "lessThan": "3.12.6", "status": "affected", "versionType": "python"}, {"version": "3.13.0a1", "lessThan": "3.13.0rc2", "status": "affected", "versionType": "python"}]}], "datePublic": "2024-08-16T16:15:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "There is a LOW severity vulnerability affecting CPython, specifically the\n'http.cookies' standard library module.\nWhen parsing cookies that contained backslashes for quoted characters in\nthe cookie value, the parser would use an algorithm with quadratic\ncomplexity, resulting in excess CPU resources being used while parsing the\nvalue. "}], "value": "There is a LOW severity vulnerability affecting CPython, specifically the\n'http.cookies' standard library module.\n\n\nWhen parsing cookies that contained backslashes for quoted characters in\nthe cookie value, the parser would use an algorithm with quadratic\ncomplexity, resulting in excess CPU resources being used while parsing the\nvalue."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-400", "description": "CWE-400 Uncontrolled Resource Consumption", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "28c92f92-d60d-412d-b760-e73465c3df22", "shortName": "PSF", "dateUpdated": "2025-01-31T19:55:12.119Z"}, "references": [{"tags": ["patch"], "url": "https://github.com/python/cpython/pull/123075"}, {"tags": ["issue-tracking"], "url": "https://github.com/python/cpython/issues/123067"}, {"tags": ["vendor-advisory"], "url": "https://mail.python.org/archives/list/security-announce@python.org/thread/HXJAAAALNUNGCQUS2W7WR6GFIZIHFOOK/"}, {"tags": ["patch"], "url": "https://github.com/python/cpython/commit/391e5626e3ee5af267b97e37abc7475732e67621"}, {"tags": ["patch"], "url": "https://github.com/python/cpython/commit/dcc3eaef98cd94d6cb6cb0f44bd1c903d04f33b1"}, {"tags": ["patch"], "url": "https://github.com/python/cpython/commit/a77ab24427a18bff817025adb03ca920dc3f1a06"}, {"tags": ["patch"], "url": "https://github.com/python/cpython/commit/b2f11ca7667e4d57c71c1c88b255115f16042d9a"}, {"tags": ["patch"], "url": "https://github.com/python/cpython/commit/d4ac921a4b081f7f996a5d2b101684b67ba0ed7f"}, {"tags": ["patch"], "url": "https://github.com/python/cpython/commit/d662e2db2605515a767f88ad48096b8ac623c774"}, {"tags": ["patch"], "url": "https://github.com/python/cpython/commit/44e458357fca05ca0ae2658d62c8c595b048b5ef"}], "source": {"discovery": "UNKNOWN"}, "title": "Quadratic complexity parsing cookies with backslashes", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"affected": [{"vendor": "python", "product": "cpython", "cpes": ["cpe:2.3:a:python:cpython:*:*:*:*:*:*:*:*"], "defaultStatus": "unaffected", "versions": [{"version": "0", "status": "affected", "lessThan": "3.8.20", "versionType": "python"}, {"version": "3.9.0", "status": "affected", "lessThan": "3.9.20", "versionType": "python"}, {"version": "3.10.0", "status": "affected", "lessThan": "3.10.15", "versionType": "python"}, {"version": "3.11.0", "status": "affected", "lessThan": "3.11.10", "versionType": "python"}, {"version": "3.12.0", "status": "affected", "lessThan": "3.12.6", "versionType": "python"}, {"version": "3.13.0a1", "status": "affected", "lessThan": "3.13.0rc2", "versionType": "python"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2024-09-03T17:21:02.520596Z", "id": "CVE-2024-7592", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-09T20:53:12.739Z"}}, {"title": "CVE Program Container", "references": [{"url": "https://security.netapp.com/advisory/ntap-20241018-0006/"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-10-18T13:07:47.143Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://security.netapp.com/advisory/ntap-20241018-0006/"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-10-18T13:07:47.143Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2024-7592", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-03T17:21:02.520596Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:python:cpython:*:*:*:*:*:*:*:*"], "vendor": "python", "product": "cpython", "versions": [{"status": "affected", "version": "0", "lessThan": "3.8.20", "versionType": "python"}, {"status": "affected", "version": "3.9.0", "lessThan": "3.9.20", "versionType": "python"}, {"status": "affected", "version": "3.10.0", "lessThan": "3.10.15", "versionType": "python"}, {"status": "affected", "version": "3.11.0", "lessThan": "3.11.10", "versionType": "python"}, {"status": "affected", "version": "3.12.0", "lessThan": "3.12.6", "versionType": "python"}, {"status": "affected", "version": "3.13.0a1", "lessThan": "3.13.0rc2", "versionType": "python"}], "defaultStatus": "unaffected"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-03T17:21:26.897Z"}}], "cna": {"title": "Quadratic complexity parsing cookies with backslashes", "source": {"discovery": "UNKNOWN"}, "affected": [{"repo": "https://github.com/python/cpython", "vendor": "Python Software Foundation", "product": "CPython", "versions": [{"status": "affected", "version": "0", "lessThan": "3.8.20", "versionType": "python"}, {"status": "affected", "version": "3.9.0", "lessThan": "3.9.20", "versionType": "python"}, {"status": "affected", "version": "3.10.0", "lessThan": "3.10.15", "versionType": "python"}, {"status": "affected", "version": "3.11.0", "lessThan": "3.11.10", "versionType": "python"}, {"status": "affected", "version": "3.12.0", "lessThan": "3.12.6", "versionType": "python"}, {"status": "affected", "version": "3.13.0a1", "lessThan": "3.13.0rc2", "versionType": "python"}], "defaultStatus": "unaffected"}], "datePublic": "2024-08-16T16:15:00.000Z", "references": [{"url": "https://github.com/python/cpython/pull/123075", "tags": ["patch"]}, {"url": "https://github.com/python/cpython/issues/123067", "tags": ["issue-tracking"]}, {"url": "https://mail.python.org/archives/list/security-announce@python.org/thread/HXJAAAALNUNGCQUS2W7WR6GFIZIHFOOK/", "tags": ["vendor-advisory"]}, {"url": "https://github.com/python/cpython/commit/391e5626e3ee5af267b97e37abc7475732e67621", "tags": ["patch"]}, {"url": "https://github.com/python/cpython/commit/dcc3eaef98cd94d6cb6cb0f44bd1c903d04f33b1", "tags": ["patch"]}, {"url": "https://github.com/python/cpython/commit/a77ab24427a18bff817025adb03ca920dc3f1a06", "tags": ["patch"]}, {"url": "https://github.com/python/cpython/commit/b2f11ca7667e4d57c71c1c88b255115f16042d9a", "tags": ["patch"]}, {"url": "https://github.com/python/cpython/commit/d4ac921a4b081f7f996a5d2b101684b67ba0ed7f", "tags": ["patch"]}, {"url": "https://github.com/python/cpython/commit/d662e2db2605515a767f88ad48096b8ac623c774", "tags": ["patch"]}, {"url": "https://github.com/python/cpython/commit/44e458357fca05ca0ae2658d62c8c595b048b5ef", "tags": ["patch"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "There is a LOW severity vulnerability affecting CPython, specifically the\n'http.cookies' standard library module.\n\n\nWhen parsing cookies that contained backslashes for quoted characters in\nthe cookie value, the parser would use an algorithm with quadratic\ncomplexity, resulting in excess CPU resources being used while parsing the\nvalue.", "supportingMedia": [{"type": "text/html", "value": "There is a LOW severity vulnerability affecting CPython, specifically the\n'http.cookies' standard library module.\nWhen parsing cookies that contained backslashes for quoted characters in\nthe cookie value, the parser would use an algorithm with quadratic\ncomplexity, resulting in excess CPU resources being used while parsing the\nvalue. ", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-400", "description": "CWE-400 Uncontrolled Resource Consumption"}]}], "providerMetadata": {"orgId": "28c92f92-d60d-412d-b760-e73465c3df22", "shortName": "PSF", "dateUpdated": "2025-01-31T19:55:12.119Z"}}}, "cveMetadata": {"cveId": "CVE-2024-7592", "state": "PUBLISHED", "dateUpdated": "2025-01-31T19:55:12.119Z", "dateReserved": "2024-08-07T15:53:07.135Z", "assignerOrgId": "28c92f92-d60d-412d-b760-e73465c3df22", "datePublished": "2024-08-19T19:06:45.311Z", "assignerShortName": "PSF"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:python:python:*:*:*:*:*:*:*:*", "matchCriteriaId": "B475FA53-D1F3-44C8-80CD-0CEA88129109", "versionEndExcluding": "3.8.20", "vulnerable": true}, {"criteria": "cpe:2.3:a:python:python:*:*:*:*:*:*:*:*", "matchCriteriaId": "9365E878-106E-49B6-98FC-9FA339CD5216", "versionEndExcluding": "3.9.20", "versionStartIncluding": "3.9.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:python:python:*:*:*:*:*:*:*:*", "matchCriteriaId": "BFD756EB-DF07-4485-A2AA-59FBD7260A21", "versionEndExcluding": "3.10.15", "versionStartIncluding": "3.10.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:python:python:*:*:*:*:*:*:*:*", "matchCriteriaId": "9EE0E5D8-452F-4862-9C23-23AC1DDEFB1E", "versionEndExcluding": "3.11.10", "versionStartIncluding": "3.11.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:python:python:*:*:*:*:*:*:*:*", "matchCriteriaId": "5D4E662B-59E4-495E-941E-2246D2168B42", "versionEndExcluding": "3.12.6", "versionStartIncluding": "3.12.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:python:python:3.13.0:alpha0:*:*:*:*:*:*", "matchCriteriaId": "3BA51E41-D221-431F-870F-536AF2867B50", "vulnerable": true}, {"criteria": "cpe:2.3:a:python:python:3.13.0:alpha1:*:*:*:*:*:*", "matchCriteriaId": "978582FF-B8F3-479F-AE77-359E9AEE6F23", "vulnerable": true}, {"criteria": "cpe:2.3:a:python:python:3.13.0:alpha2:*:*:*:*:*:*", "matchCriteriaId": "84E3F62C-7218-4DC3-8473-8A576739643A", "vulnerable": true}, {"criteria": "cpe:2.3:a:python:python:3.13.0:alpha3:*:*:*:*:*:*", "matchCriteriaId": "1FD15706-B8BC-4801-9F93-06771F2E12C1", "vulnerable": true}, {"criteria": "cpe:2.3:a:python:python:3.13.0:alpha4:*:*:*:*:*:*", "matchCriteriaId": "0FDC359F-E8ED-4777-83FB-1EC63F095CBF", "vulnerable": true}, {"criteria": "cpe:2.3:a:python:python:3.13.0:alpha5:*:*:*:*:*:*", "matchCriteriaId": "6893BDDE-4D90-4592-8701-C6B3FFEB0CFE", "vulnerable": true}, {"criteria": "cpe:2.3:a:python:python:3.13.0:alpha6:*:*:*:*:*:*", "matchCriteriaId": "E316F712-F03A-4378-8192-D1640819698B", "vulnerable": true}, {"criteria": "cpe:2.3:a:python:python:3.13.0:beta1:*:*:*:*:*:*", "matchCriteriaId": "8566F034-27CB-422E-950B-DCAA926CF64F", "vulnerable": true}, {"criteria": "cpe:2.3:a:python:python:3.13.0:beta2:*:*:*:*:*:*", "matchCriteriaId": "EACCE6C3-7701-4966-9D88-E949C82FCA46", "vulnerable": true}, {"criteria": "cpe:2.3:a:python:python:3.13.0:beta3:*:*:*:*:*:*", "matchCriteriaId": "A4853BF2-9C27-465F-9840-5B37013C9F74", "vulnerable": true}, {"criteria": "cpe:2.3:a:python:python:3.13.0:beta4:*:*:*:*:*:*", "matchCriteriaId": "B266541A-E877-4CAD-A1EF-08A069441F36", "vulnerable": true}, {"criteria": "cpe:2.3:a:python:python:3.13.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "8384A34C-50CD-439C-A2BB-DEA6161342C1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "There is a LOW severity vulnerability affecting CPython, specifically the\n'http.cookies' standard library module.\n\n\nWhen parsing cookies that contained backslashes for quoted characters in\nthe cookie value, the parser would use an algorithm with quadratic\ncomplexity, resulting in excess CPU resources being used while parsing the\nvalue."}, {"lang": "es", "value": "Existe una vulnerabilidad de gravedad BAJA que afecta a CPython, espec\u00edficamente al m\u00f3dulo de librer\u00eda est\u00e1ndar 'http.cookies'. Al analizar cookies que conten\u00edan barras invertidas para caracteres entrecomillados en el valor de la cookie, el analizador usar\u00eda un algoritmo con complejidad cuadr\u00e1tica, lo que resultar\u00eda en un exceso de recursos de CPU que se usar\u00edan al analizar el valor."}], "id": "CVE-2024-7592", "lastModified": "2025-02-05T21:13:47.837", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2024-08-19T19:15:08.180", "references": [{"source": "cna@python.org", "tags": ["Patch"], "url": "https://github.com/python/cpython/commit/391e5626e3ee5af267b97e37abc7475732e67621"}, {"source": "cna@python.org", "tags": ["Patch"], "url": "https://github.com/python/cpython/commit/44e458357fca05ca0ae2658d62c8c595b048b5ef"}, {"source": "cna@python.org", "tags": ["Patch"], "url": "https://github.com/python/cpython/commit/a77ab24427a18bff817025adb03ca920dc3f1a06"}, {"source": "cna@python.org", "tags": ["Patch"], "url": "https://github.com/python/cpython/commit/b2f11ca7667e4d57c71c1c88b255115f16042d9a"}, {"source": "cna@python.org", "tags": ["Patch"], "url": "https://github.com/python/cpython/commit/d4ac921a4b081f7f996a5d2b101684b67ba0ed7f"}, {"source": "cna@python.org", "tags": ["Patch"], "url": "https://github.com/python/cpython/commit/d662e2db2605515a767f88ad48096b8ac623c774"}, {"source": "cna@python.org", "tags": ["Patch"], "url": "https://github.com/python/cpython/commit/dcc3eaef98cd94d6cb6cb0f44bd1c903d04f33b1"}, {"source": "cna@python.org", "tags": ["Exploit", "Issue Tracking", "Patch"], "url": "https://github.com/python/cpython/issues/123067"}, {"source": "cna@python.org", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/python/cpython/pull/123075"}, {"source": "cna@python.org", "tags": ["Mailing List"], "url": "https://mail.python.org/archives/list/security-announce@python.org/thread/HXJAAAALNUNGCQUS2W7WR6GFIZIHFOOK/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20241018-0006/"}], "sourceIdentifier": "cna@python.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-400"}], "source": "cna@python.org", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-1333"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2025:3631", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "python3.12-0:3.12.5-2.el9_5.3", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2025-04-07T00:00:00Z"}, {"advisory": "RHSA-2025:3634", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "python3.11-0:3.11.9-7.el9_5.3", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2025-04-07T00:00:00Z"}], "bugzilla": {"description": "cpython: python: Uncontrolled CPU resource consumption when in http.cookies module", "id": "2305879", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2305879"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.8", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:N/A:H", "status": "verified"}, "cwe": "CWE-400", "details": ["There is a LOW severity vulnerability affecting CPython, specifically the\n'http.cookies' standard library module.\nWhen parsing cookies that contained backslashes for quoted characters in\nthe cookie value, the parser would use an algorithm with quadratic\ncomplexity, resulting in excess CPU resources being used while parsing the\nvalue.", "A flaw was found in the `http.cookies` module in the Python package. When parsing cookies that contain backslashes, under certain circumstances, the module uses an algorithm with quadratic complexity, leading to excessive CPU consumption."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2024-7592", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Fix deferred", "package_name": "python", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Fix deferred", "package_name": "python", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Fix deferred", "package_name": "python3", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "gimp:flatpak/python2", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "python3", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "python3.11", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "python3.12", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "python36:3.6/python36", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "python39:3.9/python39", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "python39-devel:3.9/python39", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "python3.9", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:1", "fix_state": "Fix deferred", "package_name": "rhelai1/bootc-nvidia-rhel9", "product_name": "Red Hat Enterprise Linux AI (RHEL AI)"}], "public_date": "2024-08-19T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-7592\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-7592\nhttps://github.com/python/cpython/issues/123067\nhttps://github.com/python/cpython/pull/123075\nhttps://mail.python.org/archives/list/security-announce@python.org/thread/HXJAAAALNUNGCQUS2W7WR6GFIZIHFOOK/"], "statement": "This vulnerability is classified as low severity, as also marked by upstream Python, because while it can cause excessive CPU usage, its exploitability is constrained by practical factors. Most production environments enforce request size limits (e.g., via web servers like Nginx or Apache), preventing attackers from sending arbitrarily large cookies. \nAdditionally, the impact is localized to individual requests, meaning it does not persistently degrade system performance or lead to remote code execution (RCE). The attack requires multiple large requests to have a significant effect, making it inefficient compared to more severe denial-of-service (DoS) vectors.", "threat_severity": "Low"}

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Exploitation poc

Automatable yes

Technical Impact partial

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object