CVE-2022-45061
CVE Details
Last Update
10/10/24
NIST CVE Summary
An issue was discovered in Python before 3.11.1. An unnecessary quadratic algorithm exists in one path when processing some inputs to the IDNA (RFC 3490) decoder, such that a crafted, unreasonably long name being presented to the decoder could lead to a CPU denial of service. Hostnames are often supplied by remote servers that could be controlled by a malicious actor; in such a scenario, they could trigger excessive CPU consumption on the client attempting to make use of an attacker-supplied supposed hostname. For example, the attack payload could be placed in the Location header of an HTTP response with status code 302. A fix is planned in 3.11.1, 3.10.9, 3.9.16, 3.8.16, and 3.7.16.
Our Official Summary
This CVE is a vulnerability affecting certain versions of Python, specifically those before version 3.11.1. The issue lies in an unnecessary quadratic algorithm in one path when processing some inputs to the IDNA (RFC 3490) decoder. This can lead to slow execution times and potential denial of service attacks on systems using affected Python versions. Systems that utilize Python's idna module for decoding large strings, such as web servers or applications handling user-provided hostnames, may be impacted by this vulnerability. There is no known workaround for this vulnerability. Python version needs to be upgraded in the images reported.
CVE Severity
Status
Ongoing
Affected Products & Versions
- Palette VerteX airgap 4.4.18
Revision History
- 1.0 9/13/2024 Initial Publication
- 2.0 9/13/2024 Added Palette VerteX airgap 4.4.18 to Affected Products
- 3.0 10/10/2024 CVE remediated in Palette VerteX 4.5.3