CVE-2022-45061
Description
An issue was discovered in Python before 3.11.1. An unnecessary quadratic algorithm exists in one path when processing some inputs to the IDNA (RFC 3490) decoder, such that a crafted, unreasonably long name being presented to the decoder could lead to a CPU denial of service. Hostnames are often supplied by remote servers that could be controlled by a malicious actor; in such a scenario, they could trigger excessive CPU consumption on the client attempting to make use of an attacker-supplied supposed hostname. For example, the attack payload could be placed in the Location header of an HTTP response with status code 302. A fix is planned in 3.11.1, 3.10.9, 3.9.16, 3.8.16, and 3.7.16.
How to fix CVE-2022-45061
To remediate CVE-2022-45061, upgrade the affected package to a fixed version below.
- —upgrade to 3.9.16-r0 or later
- —upgrade to 3.7.16 or later
- —upgrade to 3.7.16 or later
- —upgrade to 3.7.16 or later
- —upgrade to 7.3.5+dfsg-2+deb11u4 or later
- —no fix listed
- —upgrade to 3.11.1-1 or later
- —upgrade to 3.9.2-1+deb11u2 or later
Is CVE-2022-45061 being exploited?
Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.
Affected packages (8)
- from 0, < 3.9.16-r0
- from 0, < 3.7.16, >= 3.10.0, < 3.10.9, >= 3.11.0, < 3.11.1, >= 3.8.0, < 3.8.16, >= 3.9.0, < 3.9.16
- from 0, < 3.7.16, >= 3.10.0, < 3.10.9, >= 3.11.0, < 3.11.1, >= 3.8.0, < 3.8.16, >= 3.9.0, < 3.9.16
- from 0, < 3.7.16, >= 3.10.0, < 3.10.9, >= 3.11.0, < 3.11.1, >= 3.8.0, < 3.8.16, >= 3.9.0, < 3.9.16
- from 0, < 7.3.5+dfsg-2+deb11u4
- from 0
- from 0, < 3.11.1-1
- from 0, < 3.9.2-1+deb11u2
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |