CVE-2019-20907

moderate-risk

Published 2020-07-13

In Lib/tarfile.py in Python through 3.8.3, an attacker is able to craft a TAR archive leading to an infinite loop when opened by tarfile.open, because _proc_pax lacks header validation.

Do I need to act?

0.32% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 7.5/10 High

NETWORK / LOW complexity

Affected Products (14)

Python

Leap

Debian Linux

Fedora

Ubuntu Linux

Active Iq Unified Manager

Cloud Volumes Ontap Mediator

Zfs Storage Appliance Kit

Affected Vendors

Debian Oracle Python Canonical Fedoraproject Netapp Opensuse

References (54)

Mailing List http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00051.html

Mailing List http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00052.html

Mailing List http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00053.html

Mailing List http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00056.html

Issue Tracking https://bugs.python.org/issue39017

Patch https://github.com/python/cpython/pull/21454

Mailing List https://lists.debian.org/debian-lts-announce/2020/08/msg00034.html

Mailing List https://lists.debian.org/debian-lts-announce/2020/11/msg00032.html

https://lists.debian.org/debian-lts-announce/2023/05/msg00024.html

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro...

and 34 more references

/ 100

moderate-risk

Severity 26/34 · High

Exploitability 1/34 · Minimal

Exposure 18/34 · Moderate