中危 python python 未加控制的资源消耗(资源穷尽)

CVE编号

CVE-2022-45061

利用情况

暂无

补丁情况

官方补丁

披露时间

2022-11-09
漏洞描述
An issue was discovered in Python before 3.11.1. An unnecessary quadratic algorithm exists in one path when processing some inputs to the IDNA (RFC 3490) decoder, such that a crafted, unreasonably long name being presented to the decoder could lead to a CPU denial of service. Hostnames are often supplied by remote servers that could be controlled by a malicious actor; in such a scenario, they could trigger excessive CPU consumption on the client attempting to make use of an attacker-supplied supposed hostname. For example, the attack payload could be placed in the Location header of an HTTP response with status code 302. A fix is planned in 3.11.1, 3.10.9, 3.9.16, 3.8.16, and 3.7.16.
解决建议
建议您更新当前系统或软件至最新版,完成漏洞的修复。
参考链接
https://github.com/python/cpython/issues/98433
https://lists.debian.org/debian-lts-announce/2023/05/msg00024.html
https://lists.debian.org/debian-lts-announce/2023/06/msg00039.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedora...
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedora...
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedora...
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedora...
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedora...
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedora...
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedora...
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedora...
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedora...
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedora...
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedora...
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedora...
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedora...
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedora...
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedora...
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedora...
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedora...
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedora...
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedora...
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedora...
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedora...
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedora...
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedora...
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedora...
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedora...
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedora...
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedora...
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedora...
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedora...
https://security.gentoo.org/glsa/202305-02
https://security.netapp.com/advisory/ntap-20221209-0007/
受影响软件情况
# 类型 厂商 产品 版本 影响面
1
运行在以下环境
应用 python python * Up to
(including)
3.7.15
运行在以下环境
应用 python python * From
(including)
3.10.0 		Up to
(including)
3.10.8
运行在以下环境
应用 python python * From
(including)
3.8.0 		Up to
(including)
3.8.15
运行在以下环境
应用 python python * From
(including)
3.9.0 		Up to
(including)
3.9.15
运行在以下环境
应用 python python 3.11.0 -
运行在以下环境
系统 alma_linux_8 python3-idle * Up to
(excluding)
3.6.8-48.el8_7.1.alma
运行在以下环境
系统 alma_linux_9 python3 * Up to
(excluding)
3.9.14-1.el9_1.2
运行在以下环境
系统 alpine_3.14 python3 * Up to
(excluding)
3.9.16-r0
运行在以下环境
系统 alpine_3.15 python3 * Up to
(excluding)
3.9.16-r0
运行在以下环境
系统 alpine_3.16 python3 * Up to
(excluding)
3.10.9-r0
运行在以下环境
系统 alpine_3.17 python3 * Up to
(excluding)
3.10.9-r0
运行在以下环境
系统 alpine_3.18 python3 * Up to
(excluding)
3.11.1-r0
运行在以下环境
系统 alpine_3.19 python3 * Up to
(excluding)
3.11.1-r0
运行在以下环境
系统 amazon_2 python * Up to
(excluding)
2.7.18-1.amzn2.0.6
运行在以下环境
系统 amazon_2022 python3.9 * Up to
(excluding)
3.9.16-1.amzn2022.0.1
运行在以下环境
系统 amazon_2023 python3.9 * Up to
(excluding)
3.9.16-1.amzn2023.0.2
运行在以下环境
系统 amazon_AMI python38 * Up to
(excluding)
3.8.5-1.9.amzn1
运行在以下环境
系统 anolis_os_8 python3 * Up to
(excluding)
3.6.8-48.0.2
运行在以下环境
系统 debian_10 python2.7 * Up to
(excluding)
2.7.16-2+deb10u2
运行在以下环境
系统 debian_12 python3.11 * Up to
(excluding)
3.11.1-1
运行在以下环境
系统 fedora_35 python3.7 * Up to
(excluding)
3.7.16-1.fc35
运行在以下环境
系统 fedora_36 pypy3.8 * Up to
(excluding)
7.3.11-1.3.8.fc36
运行在以下环境
系统 fedora_37 pypy * Up to
(excluding)
7.3.12-3.fc37
运行在以下环境
系统 fedora_38 pypy * Up to
(excluding)
7.3.12-3.fc38
运行在以下环境
系统 fedora_39 pypy * Up to
(excluding)
7.3.12-3.fc39
运行在以下环境
系统 fedora_40 pypy * Up to
(excluding)
7.3.12-3.fc40
运行在以下环境
系统 kylinos_aarch64_V10SP1 python3 * Up to
(excluding)
3.7.9-20.p04.se.ky10
运行在以下环境
系统 kylinos_aarch64_V10SP2 python3 * Up to
(excluding)
3.7.9-20.p04.se.ky10
运行在以下环境
系统 kylinos_aarch64_V10SP3 python3 * Up to
(excluding)
3.7.9-18.se.04.p01.ky10
运行在以下环境
系统 kylinos_loongarch64_V10SP1 python3 * Up to
(excluding)
3.7.9-7.p10.se.a.ky10
运行在以下环境
系统 kylinos_loongarch64_V10SP3 python3 * Up to
(excluding)
3.7.9-18.se.03.p05.a.ky10
运行在以下环境
系统 kylinos_x86_64_V10SP1 python3 * Up to
(excluding)
3.7.9-20.p04.se.ky10
运行在以下环境
系统 kylinos_x86_64_V10SP2 python3 * Up to
(excluding)
3.7.9-20.p04.se.ky10
运行在以下环境
系统 kylinos_x86_64_V10SP3 python3 * Up to
(excluding)
3.7.9-18.se.04.p01.ky10
运行在以下环境
系统 opensuse_5.3 python3 * Up to
(excluding)
3.6.15-150300.10.40.1
运行在以下环境
系统 opensuse_Leap_15.3 python39 * Up to
(excluding)
3.9.15-150300.4.21.1
运行在以下环境
系统 opensuse_Leap_15.4 python * Up to
(excluding)
2.7.18-150000.48.1
运行在以下环境
系统 oracle_8 python3-idle * Up to
(excluding)
3.6.8-48.0.1.el8_7.1
运行在以下环境
系统 oracle_9 python3 * Up to
(excluding)
3.9.14-1.el9_1.2
运行在以下环境
系统 redhat_8 python3-idle * Up to
(excluding)
3.6.8-48.el8_7.1
运行在以下环境
系统 redhat_9 python3 * Up to
(excluding)
3.9.14-1.el9_1.2
运行在以下环境
系统 rocky_linux_8 python3 * Up to
(excluding)
3.6.8-48.el8_7.1.rocky.0
运行在以下环境
系统 rocky_linux_9 python3 * Up to
(excluding)
3.9.14-1.el9_1.2
运行在以下环境
系统 suse_12_SP5 python * Up to
(excluding)
2.7.18-33.17.1
运行在以下环境
系统 ubuntu_18.04 python2.7 * Up to
(excluding)
3.6.9-1~18.04ubuntu1.9
运行在以下环境
系统 ubuntu_20.04 python3.8 * Up to
(excluding)
3.8.10-0ubuntu1~20.04.6
运行在以下环境
系统 ubuntu_22.10 python3.10 * Up to
(excluding)
3.10.7-1ubuntu0.2
阿里云评分
6.2
  • 攻击路径
    本地
  • 攻击复杂度
    复杂
  • 权限要求
    普通权限
  • 影响范围
    越权影响
  • EXP成熟度
    未验证
  • 补丁情况
    官方补丁
  • 数据保密性
    数据泄露
  • 数据完整性
    无影响
  • 服务器危害
    无影响
  • 全网数量
    N/A
CWE-ID 漏洞类型
CWE-400 未加控制的资源消耗(资源穷尽)
CWE-407 算法复杂性
阿里云安全产品覆盖情况