← Back to CVEs

CVE-2019-20907

HIGH

7.5

Description

In Lib/tarfile.py in Python through 3.8.3, an attacker is able to craft a TAR archive leading to an infinite loop when opened by tarfile.open, because _proc_pax lacks header validation.

CVE Details

CVSS v3.1 Score7.5

SeverityHIGH

CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack VectorNETWORK

ComplexityLOW

Privileges RequiredNONE

User InteractionNONE

Published7/13/2020

Last Modified11/21/2024

Sourcenvd

Honeypot Sightings0

Affected Products

canonical:ubuntu_linuxdebian:debian_linuxfedoraproject:fedoranetapp:active_iq_unified_managernetapp:cloud_volumes_ontap_mediatoropensuse:leaporacle:zfs_storage_appliance_kitpython:python

Weaknesses (CWE)

CWE-835

References

http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00051.html(cve@mitre.org)

http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00052.html(cve@mitre.org)

http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00053.html(cve@mitre.org)

http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00056.html(cve@mitre.org)

https://bugs.python.org/issue39017(cve@mitre.org)

https://github.com/python/cpython/pull/21454(cve@mitre.org)

https://lists.debian.org/debian-lts-announce/2020/08/msg00034.html(cve@mitre.org)

https://lists.debian.org/debian-lts-announce/2020/11/msg00032.html(cve@mitre.org)

https://lists.debian.org/debian-lts-announce/2023/05/msg00024.html(cve@mitre.org)

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/36XI3EEQNMHGOZEI63Y7UV6XZRELYEAU/(cve@mitre.org)

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CAXHCY4V3LPAAJOBCJ26ISZ4NUXQXTUZ/(cve@mitre.org)

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CNHPQGSP2YM3JAUD2VAMPXTIUQTZ2M2U/(cve@mitre.org)

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CTUNTBJ3POHONQOTLEZC46POCIYYTAKZ/(cve@mitre.org)

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LE4O3PNDNNOMSKHNUKZKD3NGHIFUFDPX/(cve@mitre.org)

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NTBKKOLFFNHG6CM4ACDX4APHSD5ZX5N4/(cve@mitre.org)

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OXI72HIHMXCQFWTULUXDG7VDA2BCYL4Y/(cve@mitre.org)

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PDKKRXLNVXRF6VGERZSR3OMQR5D5QI6I/(cve@mitre.org)

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TOGKLGTXZLHQQFBVCAPSUDA6DOOJFNRY/(cve@mitre.org)

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/V3TALOUBYU2MQD4BPLRTDQUMBKGCAXUA/(cve@mitre.org)

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/V53P2YOLEQH4J7S5QHXMKMZYFTVVMTMO/(cve@mitre.org)

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VT4AF72TJ2XNIKCR4WEBR7URBJJ4YZRD/(cve@mitre.org)

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YILCHHTNLH4GG4GSQBX2MZRKZBXOLCKE/(cve@mitre.org)

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YSL3XWVDMSMKO23HR74AJQ6VEM3C2NTS/(cve@mitre.org)

https://security.gentoo.org/glsa/202008-01(cve@mitre.org)

https://security.netapp.com/advisory/ntap-20200731-0002/(cve@mitre.org)

https://usn.ubuntu.com/4428-1/(cve@mitre.org)

https://www.oracle.com/security-alerts/cpujan2021.html(cve@mitre.org)

http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00051.html(af854a3a-2127-422b-91ae-364da2661108)

http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00052.html(af854a3a-2127-422b-91ae-364da2661108)

http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00053.html(af854a3a-2127-422b-91ae-364da2661108)

http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00056.html(af854a3a-2127-422b-91ae-364da2661108)

https://bugs.python.org/issue39017(af854a3a-2127-422b-91ae-364da2661108)

https://github.com/python/cpython/pull/21454(af854a3a-2127-422b-91ae-364da2661108)

https://lists.debian.org/debian-lts-announce/2020/08/msg00034.html(af854a3a-2127-422b-91ae-364da2661108)

https://lists.debian.org/debian-lts-announce/2020/11/msg00032.html(af854a3a-2127-422b-91ae-364da2661108)

https://lists.debian.org/debian-lts-announce/2023/05/msg00024.html(af854a3a-2127-422b-91ae-364da2661108)

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/36XI3EEQNMHGOZEI63Y7UV6XZRELYEAU/(af854a3a-2127-422b-91ae-364da2661108)

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CAXHCY4V3LPAAJOBCJ26ISZ4NUXQXTUZ/(af854a3a-2127-422b-91ae-364da2661108)

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CNHPQGSP2YM3JAUD2VAMPXTIUQTZ2M2U/(af854a3a-2127-422b-91ae-364da2661108)

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CTUNTBJ3POHONQOTLEZC46POCIYYTAKZ/(af854a3a-2127-422b-91ae-364da2661108)

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LE4O3PNDNNOMSKHNUKZKD3NGHIFUFDPX/(af854a3a-2127-422b-91ae-364da2661108)

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NTBKKOLFFNHG6CM4ACDX4APHSD5ZX5N4/(af854a3a-2127-422b-91ae-364da2661108)

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OXI72HIHMXCQFWTULUXDG7VDA2BCYL4Y/(af854a3a-2127-422b-91ae-364da2661108)

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PDKKRXLNVXRF6VGERZSR3OMQR5D5QI6I/(af854a3a-2127-422b-91ae-364da2661108)

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TOGKLGTXZLHQQFBVCAPSUDA6DOOJFNRY/(af854a3a-2127-422b-91ae-364da2661108)

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/V3TALOUBYU2MQD4BPLRTDQUMBKGCAXUA/(af854a3a-2127-422b-91ae-364da2661108)

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/V53P2YOLEQH4J7S5QHXMKMZYFTVVMTMO/(af854a3a-2127-422b-91ae-364da2661108)

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VT4AF72TJ2XNIKCR4WEBR7URBJJ4YZRD/(af854a3a-2127-422b-91ae-364da2661108)

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YILCHHTNLH4GG4GSQBX2MZRKZBXOLCKE/(af854a3a-2127-422b-91ae-364da2661108)

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YSL3XWVDMSMKO23HR74AJQ6VEM3C2NTS/(af854a3a-2127-422b-91ae-364da2661108)

https://security.gentoo.org/glsa/202008-01(af854a3a-2127-422b-91ae-364da2661108)

https://security.netapp.com/advisory/ntap-20200731-0002/(af854a3a-2127-422b-91ae-364da2661108)

https://usn.ubuntu.com/4428-1/(af854a3a-2127-422b-91ae-364da2661108)

https://www.oracle.com/security-alerts/cpujan2021.html(af854a3a-2127-422b-91ae-364da2661108)

IOC Correlations

No correlations recorded

This product uses data from the NVD API but is not endorsed or certified by the NVD.