CVE-2019-20907

HIGH7.5EPSS 0.32%

python3.5 - security update

發布日:2020/7/13修改日:2025/12/3

也稱為:ALPINE-CVE-2019-20907DEBIAN-CVE-2019-20907

描述

In Lib/tarfile.py in Python through 3.8.3, an attacker is able to craft a TAR archive leading to an infinite loop when opened by tarfile.open, because _proc_pax lacks header validation.

受影響套件(5)

Alpine/python3from 0, < 3.8.5-r0
Debian/pypy3from 0, < 7.3.3+dfsg-1
Debian/python2.7from 0, < 2.7.18-2
Debian/python3.5from 0, < 3.5.3-1+deb9u3
Debian/python3.9from 0, < 3.9.0~b5-1

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	HIGH7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

參考連結(2)

ADVISORYhttps://security.alpinelinux.org/vuln/CVE-2019-20907
ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2019-20907