CVE-2021-40839

moderate-risk
Published 2021-09-10

The rencode package through 1.0.6 for Python allows an infinite loop in typecode decoding (such as via ;\x2f\x7f), enabling a remote attack that consumes CPU and memory.

Do I need to act?

!
13.8% chance of exploitation in next 30 days
EPSS score — higher than 86% of all CVEs
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
7
CVSS 7.5/10 High
NETWORK / LOW complexity

Affected Products (3)

Affected Vendors

Fedoraproject Rencode Project

References (14)

Patch https://github.com/aresch/rencode/commit/572ff74586d9b1daab904c6f7f7009ce0143bb7...
Patch https://github.com/aresch/rencode/pull/29
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro...
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro...
Third Party Advisory https://pypi.org/project/rencode/#history
Mailing List https://seclists.org/fulldisclosure/2021/Sep/16
Third Party Advisory https://security.netapp.com/advisory/ntap-20211008-0001/
Patch https://github.com/aresch/rencode/commit/572ff74586d9b1daab904c6f7f7009ce0143bb7...
Patch https://github.com/aresch/rencode/pull/29
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro...
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro...
Third Party Advisory https://pypi.org/project/rencode/#history
Mailing List https://seclists.org/fulldisclosure/2021/Sep/16
Third Party Advisory https://security.netapp.com/advisory/ntap-20211008-0001/
47
/ 100
moderate-risk
Severity 26/34 · High
Exploitability 12/34 · Low
Exposure 9/34 · Low