Ee Durbin

**Name of the Vulnerable Software and Affected Versions** CPython versions 3.12.1 through 3.12.1 CPython versions 3.11.7 through 3.11.7 CPython versions 3.10.13 through 3.10.13 CPython versions 3.9.18 through 3.9.18 CPython versions 3.8.18 and prior **Description** The issue is related to the `tempfile.TemporaryDirectory` class in CPython, which would dereference symlinks during cleanup of permissions-related errors. This could allow users who can run privileged programs to modify permissions of files referenced by symlinks in some circumstances. **Recommendations** For CPython versions 3.12.1, 3.11.7, 3.10.13, 3.9.18, and 3.8.18 and prior, consider disabling the `tempfile.TemporaryDirectory` class until a patch is available. Restrict access to the `tempfile` module to minimize the risk of exploitation. Avoid using the `tempfile.TemporaryDirectory` class in situations where symlinks are involved until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** CPython versions 3.12.1, 3.11.7, 3.10.13, 3.9.18, and 3.8.18 and prior **Description** The CPython `zipfile` module is vulnerable to “quoted-overlap” zip-bombs, which exploit the zip format to create a zip-bomb with a high compression ratio. This issue can be exploited to cause a denial of service condition by persuading a victim to open a specially crafted ZIP file. The fixed versions of CPython make the `zipfile` module reject zip archives that overlap entries in the archive. **Recommendations** For versions 3.12.1, 3.11.7, 3.10.13, 3.9.18, and 3.8.18 and prior, update to a version that includes the fix for the `zipfile` module vulnerability. As a temporary workaround, consider disabling the `zipfile` module until a patch is available. Restrict access to the `zipfile` module to minimize the risk of exploitation. Avoid using the `zipfile` module to open untrusted ZIP files until the issue is resolved.