CVE-2024-5569

CVSS v4.0

6.9

Medium

Vector

AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions: jaraco/zipp versions prior to 3.19.1

Description: A Denial of Service (DoS) issue exists in the jaraco/zipp library, triggered when processing a specially crafted zip file that leads to an infinite loop. This issue also impacts the zipfile module of CPython, as features from the third-party zipp library are later merged into CPython, and the affected code is identical in both projects. The infinite loop can be initiated through the use of functions affecting the Path module in both zipp and zipfile, such as joinpath, the overloaded division operator, and iterdir. Although the infinite loop is not resource exhaustive, it prevents the application from responding.

Recommendations: For versions prior to 3.19.1, update to version 3.19.1 or later to resolve the issue. As a temporary workaround, consider avoiding the use of functions affecting the Path module, such as joinpath, the overloaded division operator, and iterdir, when processing zip files until a patch is available.

Fix

DoS

Infinite Loop

Resource Exhaustion

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-835CWE-400

Related Identifiers

AZL-43189

AZL-43198

BDU:2024-05789

CVE-2024-5569

GHSA-JFMJ-5V4G-7637

MGASA-2025-0066

OESA-2024-1887

OESA-2024-1888

OESA-2024-1889

OESA-2024-1890

OPENSUSE-SU-2024:14167-1

OPENSUSE-SU-2024_2400-1

RHSA-2024:6428

RHSA-2024:8232

RHSA-2024:8418

RHSA-2024:8906

RHSA-2024:9977

SUSE-SU-2024:2397-1

SUSE-SU-2024:2400-1

SUSE-SU-2024:4020-1

SUSE-SU-2024:4021-1

SUSE-SU-2024:4029-1

SUSE-SU-2024_2400-1

USN-6906-1

Affected Products

Cpython

Debian

Linuxmint

Red Os

Suse

Ubuntu

CVE-2024-5569

Weakness Enumeration

Related Identifiers

Affected Products

References · 84