CVE-2024-7592

moderate-risk
Published 2024-08-19

There is a LOW severity vulnerability affecting CPython, specifically the 'http.cookies' standard library module. When parsing cookies that contained backslashes for quoted characters in the cookie value, the parser would use an algorithm with quadratic complexity, resulting in excess CPU resources being used while parsing the value.

Do I need to act?

~
1.0% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
7
CVSS 7.5/10 High
NETWORK / LOW complexity

Affected Products (13)

Affected Vendors

Python

References (12)

Patch https://github.com/python/cpython/commit/391e5626e3ee5af267b97e37abc7475732e6762...
Patch https://github.com/python/cpython/commit/44e458357fca05ca0ae2658d62c8c595b048b5e...
Patch https://github.com/python/cpython/commit/a77ab24427a18bff817025adb03ca920dc3f1a0...
Patch https://github.com/python/cpython/commit/b2f11ca7667e4d57c71c1c88b255115f16042d9...
Patch https://github.com/python/cpython/commit/d4ac921a4b081f7f996a5d2b101684b67ba0ed7...
Patch https://github.com/python/cpython/commit/d662e2db2605515a767f88ad48096b8ac623c77...
Patch https://github.com/python/cpython/commit/dcc3eaef98cd94d6cb6cb0f44bd1c903d04f33b...
Exploit https://github.com/python/cpython/issues/123067
Issue Tracking https://github.com/python/cpython/pull/123075
Mailing List https://mail.python.org/archives/list/security-announce@python.org/thread/HXJAAA...
https://lists.debian.org/debian-lts-announce/2024/12/msg00000.html
Third Party Advisory https://security.netapp.com/advisory/ntap-20241018-0006/
46
/ 100
moderate-risk
Severity 26/34 · High
Exploitability 3/34 · Minimal
Exposure 17/34 · Moderate