CVE-2024-7592

Description

There is a LOW severity vulnerability affecting CPython, specifically the 'http.cookies' standard library module. When parsing cookies that contained backslashes for quoted characters in the cookie value, the parser would use an algorithm with quadratic complexity, resulting in excess CPU resources being used while parsing the value.

How to fix CVE-2024-7592

To remediate CVE-2024-7592, upgrade the affected package to a fixed version below.

• —upgrade to 3.10.15-r0 or later
• —upgrade to 3.8.20 or later
• —upgrade to 3.8.20 or later
• —upgrade to 3.8.20 or later
• —upgrade to 7.3.5+dfsg-2+deb11u5 or later
• —upgrade to 3.11.2-6+deb12u5 or later
• —upgrade to 3.13.0~rc2-1 or later
• —upgrade to 3.9.2-1+deb11u2 or later

Is CVE-2024-7592 being exploited?

Low — EPSS is 0.9%, meaning exploitation activity has not been observed at scale.

Affected packages (8)

• from 0, < 3.10.15-r0
• from 0, < 3.8.20, >= 3.9.0, < 3.9.20, >= 3.10.0, < 3.10.15, >= 3.11.0, < 3.11.10, >= 3.12.0, < 3.12.6
• from 0, < 3.8.20, >= 3.9.0, < 3.9.20, >= 3.10.0, < 3.10.15, >= 3.11.0, < 3.11.10, >= 3.12.0, < 3.12.6
• from 0, < 3.8.20, >= 3.9.0, < 3.9.20, >= 3.10.0, < 3.10.15, >= 3.11.0, < 3.11.10, >= 3.12.0, < 3.12.6
• from 0, < 7.3.5+dfsg-2+deb11u5
• from 0, < 3.11.2-6+deb12u5
• from 0, < 3.13.0~rc2-1
• from 0, < 3.9.2-1+deb11u2

CVSS scores

References (15)

• ADVISORYsecurity.alpinelinux.org/vuln/CVE-2024-7592
• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2024-7592
• WEBgithub.com/python/cpython/commit/391e5626e3ee5af267b97e37abc7475732e67621
• WEBgithub.com/python/cpython/commit/44e458357fca05ca0ae2658d62c8c595b048b5ef