{"id":"BIT-python-min-2024-0450","summary":"Quoted zip-bomb protection for zipfile","details":"An issue was found in the CPython `zipfile` module affecting versions 3.12.1, 3.11.7, 3.10.13, 3.9.18, and 3.8.18 and prior.\n\nThe zipfile module is vulnerable to “quoted-overlap” zip-bombs which exploit the zip format to create a zip-bomb with a high compression ratio. The fixed versions of CPython makes the zipfile module reject zip archives which overlap entries in the archive.","aliases":["BIT-libpython-2024-0450","BIT-python-2024-0450","CVE-2024-0450","PSF-2024-2"],"modified":"2025-11-06T13:25:46.476Z","published":"2025-01-17T15:06:28.314Z","database_specific":{"severity":"Medium","cpes":["cpe:2.3:a:python:python:*:*:*:*:*:*:*:*"]},"references":[{"type":"WEB","url":"http://www.openwall.com/lists/oss-security/2024/03/20/5"},{"type":"WEB","url":"https://github.com/python/cpython/commit/30fe5d853b56138dbec62432d370a1f99409fc85"},{"type":"WEB","url":"https://github.com/python/cpython/commit/66363b9a7b9fe7c99eba3a185b74c5fdbf842eba"},{"type":"WEB","url":"https://github.com/python/cpython/commit/70497218351ba44bffc8b571201ecb5652d84675"},{"type":"WEB","url":"https://github.com/python/cpython/commit/a2c59992e9e8d35baba9695eb186ad6c6ff85c51"},{"type":"WEB","url":"https://github.com/python/cpython/commit/a956e510f6336d5ae111ba429a61c3ade30a7549"},{"type":"WEB","url":"https://github.com/python/cpython/commit/d05bac0b74153beb541b88b4fca33bf053990183"},{"type":"WEB","url":"https://github.com/python/cpython/commit/fa181fcf2156f703347b03a3b1966ce47be8ab3b"},{"type":"WEB","url":"https://github.com/python/cpython/issues/109858"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2024/03/msg00024.html"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2024/03/msg00025.html"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/T3IGRX54M7RNCQOXVQO5KQKTGWCOABIM/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/U5VHWS52HGD743C47UMCSAK2A773M2YE/"},{"type":"WEB","url":"https://mail.python.org/archives/list/security-announce@python.org/thread/XELNUX2L3IOHBTFU7RQHCY6OUVEWZ2FG/"},{"type":"WEB","url":"https://www.bamsoftware.com/hacks/zipbomb/"},{"type":"WEB","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-0450"},{"type":"WEB","url":"https://security.netapp.com/advisory/ntap-20250411-0005/"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2024/11/msg00005.html"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2024/12/msg00000.html"}],"affected":[{"package":{"name":"python-min","ecosystem":"Bitnami","purl":"pkg:bitnami/python-min"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"3.8.19"},{"introduced":"3.9.0"},{"fixed":"3.9.19"},{"introduced":"3.10.0"},{"fixed":"3.10.14"},{"introduced":"3.11.0"},{"fixed":"3.11.8"},{"introduced":"3.12.0"},{"fixed":"3.12.2"}]}],"database_specific":{"source":"https://github.com/bitnami/vulndb/tree/main/data/python-min/BIT-python-min-2024-0450.json"},"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}],"schema_version":"1.7.3"}