CVE-2024-6232
CVE Details
Visit the official vulnerability details page for CVE-2024-6232 to learn more.
Initial Publication
10/25/2024
Last Update
12/13/2024
Third Party Dependency
pyc
NIST CVE Summary
There is a MEDIUM severity vulnerability affecting CPython.
Regular expressions that allowed excessive backtracking during tarfile.TarFile header parsing are vulnerable to ReDoS via specifically-crafted tar archives.
CVE Severity
Our Official Summary
This CVE affects all images using the Python's tarfile module. A specificlly crafted tar file which causes excessive backtracking while tarfile parses headers is needed to exploit this vulnerability. If the vulnerability is exploited, it can cause a denial of service attack. But from our product point of view, this risk of this vulnerability getting exploited is very low. This is because it does not enable remote code execution. A user has to compromise of the images using this library within python module and feed a specially crafted tar file and relies on the underlying system processing that file, which limits the attack vector. A fix is not available at this time. We will upgrade the library once the fix becomes available.
Status
Ongoing
Affected Products & Versions
| Version | Palette Enterprise | Palette Enterprise Airgap | VerteX | VerteX Airgap |
|---|---|---|---|---|
| 4.5.15 | ✅ No Impact | ✅ No Impact | ⚠️ Impacted | ✅ No Impact |
| 4.5.11 | ✅ No Impact | ✅ No Impact | ⚠️ Impacted | ✅ No Impact |
| 4.5.10 | ✅ No Impact | ✅ No Impact | ⚠️ Impacted | ✅ No Impact |
| 4.5.8 | ✅ No Impact | ✅ No Impact | ⚠️ Impacted | ✅ No Impact |
| 4.5.5 | ✅ No Impact | ⚠️ Impacted | ⚠️ Impacted | ✅ No Impact |
| 4.5.4 | ✅ No Impact | ⚠️ Impacted | ⚠️ Impacted | ⚠️ Impacted |
| 4.4.20 | ✅ No Impact | ⚠️ Impacted | ⚠️ Impacted | ⚠️ Impacted |
Revision History
| Date | Revision |
|---|---|
| 11/13/2024 | Impacted versions changed from 4.5.4, 4.5.5 to 4.5.4, 4.5.5, 4.4.20 |
| 10/27/2024 | Impacted versions changed from 4.5.4 to 4.5.4, 4.5.5 |