CVE-2022-45061
CVE Details
Visit the official vulnerability details page for CVE-2022-45061 to learn more.
Initial Publication
11/13/2024
Last Update
12/13/2024
Third Party Dependency
libpython2.7-minimal
NIST CVE Summary
An issue was discovered in Python before 3.11.1. An unnecessary quadratic algorithm exists in one path when processing some inputs to the IDNA (RFC 3490) decoder, such that a crafted, unreasonably long name being presented to the decoder could lead to a CPU denial of service. Hostnames are often supplied by remote servers that could be controlled by a malicious actor; in such a scenario, they could trigger excessive CPU consumption on the client attempting to make use of an attacker-supplied supposed hostname. For example, the attack payload could be placed in the Location header of an HTTP response with status code 302. A fix is planned in 3.11.1, 3.10.9, 3.9.16, 3.8.16, and 3.7.16.
CVE Severity
Our Official Summary
This CVE is a vulnerability affecting certain versions of Python, specifically those before version 3.11.1. The issue lies in an unnecessary quadratic algorithm in one path when processing some inputs to the IDNA (RFC 3490) decoder. This can lead to slow execution times and potential denial of service attacks on systems using affected Python versions. Systems that utilize Python's idna module for decoding large strings, such as web servers or applications handling user-provided hostnames, may be impacted by this vulnerability. There is no known workaround for this vulnerability. Python version needs to be upgraded in the images reported.
Status
Ongoing
Affected Products & Versions
| Version | Palette Enterprise | Palette Enterprise Airgap | VerteX | VerteX Airgap |
|---|---|---|---|---|
| 4.4.20 | ✅ No Impact | ✅ No Impact | ⚠️ Impacted | ⚠️ Impacted |
Revision History
| Date | Revision |
|---|