PT-2017-4103 · Python · Python Priority Library

Published

2017-01-10

Updated

2022-05-17

CVE-2016-6580

CVSS v2.0

7.8

High

Vector

AV:N/AC:L/Au:N/C:N/I:N/A:C

Name of the Vulnerable Software and Affected Versions python priority library versions prior to 1.2.0

Description The issue is related to a resource management error in the python priority library. A malicious peer can exploit this by assigning priority information for every possible HTTP/2 stream ID, causing the priority tree to allocate unbounded amounts of memory. This can lead to extremely high CPU usage and potentially result in a denial of service.

Recommendations For versions prior to 1.2.0, update to version 1.2.0 or later to resolve the issue. As a temporary workaround, consider restricting the ability of peers to assign priority information for HTTP/2 stream IDs to minimize the risk of exploitation.

Fix

Allocation of Resources Without Limits

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-399CWE-770

Related Identifiers

BDU:2021-03083

CVE-2016-6580

GHSA-H3Q4-6J7F-R24C

PYSEC-2017-93

Affected Products

Python Priority Library

PT-2017-4103 · Python · Python Priority Library

CVE-2016-6580

Weakness Enumeration

Related Identifiers

Affected Products

References · 16