Attacker Value
Unknown
(0 users assessed)
Exploitability
Unknown
(0 users assessed)
User Interaction
None
Privileges Required
None
Attack Vector
Network
0

CVE-2019-20907

Disclosure Date: July 13, 2020
CVE-2019-20907 CVSS v3 Base Score: 7.5
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

In Lib/tarfile.py in Python through 3.8.3, an attacker is able to craft a TAR archive leading to an infinite loop when opened by tarfile.open, because _proc_pax lacks header validation.

Add Assessment

No one has assessed this topic. Be the first to add your voice to the community.

CVSS V3 Severity and Metrics
Base Score:
7.5 High
Impact Score:
3.6
Exploitability Score:
3.9
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
None
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
None
Integrity (I):
None
Availability (A):
High

General Information

Offensive Application
Unknown
Utility Class
Unknown
Ports
Unknown
OS
Unknown
Vulnerable Versions
n/a
Prerequisites
Unknown
Discovered By
Unknown
PoC Author
Unknown
Metasploit Module
Unknown
Reporter
Unknown

Vendors

  • canonical,
  • debian,
  • fedoraproject,
  • netapp,
  • opensuse,
  • oracle,
  • python

Products

  • active iq unified manager,
  • cloud volumes ontap mediator -,
  • debian linux 9.0,
  • fedora 31,
  • fedora 32,
  • leap 15.1,
  • leap 15.2,
  • python,
  • ubuntu linux 12.04,
  • ubuntu linux 14.04,
  • ubuntu linux 16.04,
  • ubuntu linux 18.04,
  • ubuntu linux 20.04,
  • zfs storage appliance kit 8.8

References

Canonical
CVE-2019-20907 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20907)
Advisory
https://bugs.python.org/issue39017
https://github.com/python/cpython/pull/21454
FEDORA-2020-dfb11916cc (https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VT4AF72TJ2XNIKCR4WEBR7URBJJ4YZRD)
FEDORA-2020-e9251de272 (https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CAXHCY4V3LPAAJOBCJ26ISZ4NUXQXTUZ)
USN-4428-1 (https://usn.ubuntu.com/4428-1)
FEDORA-2020-c3b07cc5c9 (https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/V3TALOUBYU2MQD4BPLRTDQUMBKGCAXUA)
FEDORA-2020-aab24d3714 (https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YSL3XWVDMSMKO23HR74AJQ6VEM3C2NTS)
FEDORA-2020-bb919e575e (https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LE4O3PNDNNOMSKHNUKZKD3NGHIFUFDPX)
FEDORA-2020-97d775e649 (https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TOGKLGTXZLHQQFBVCAPSUDA6DOOJFNRY)
https://security.netapp.com/advisory/ntap-20200731-0002
GLSA-202008-01 (https://security.gentoo.org/glsa/202008-01)
FEDORA-2020-826b24c329 (https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PDKKRXLNVXRF6VGERZSR3OMQR5D5QI6I)
FEDORA-2020-1ddd5273d6 (https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YILCHHTNLH4GG4GSQBX2MZRKZBXOLCKE)
FEDORA-2020-87c0a0a52d (https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NTBKKOLFFNHG6CM4ACDX4APHSD5ZX5N4)
FEDORA-2020-efb908b6a8 (https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CNHPQGSP2YM3JAUD2VAMPXTIUQTZ2M2U)
FEDORA-2020-d808fdd597 (https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/V53P2YOLEQH4J7S5QHXMKMZYFTVVMTMO)
FEDORA-2020-982b2950db (https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CTUNTBJ3POHONQOTLEZC46POCIYYTAKZ)
FEDORA-2020-c539babb0a (https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/36XI3EEQNMHGOZEI63Y7UV6XZRELYEAU)
[debian-lts-announce] 20200822 [SECURITY] [DLA 2337-1] python2.7 security update (https://lists.debian.org/debian-lts-announce/2020/08/msg00034.html)
http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00051.html
http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00052.html
http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00053.html
http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00056.html
FEDORA-2020-dfb11916cc (https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VT4AF72TJ2XNIKCR4WEBR7URBJJ4YZRD/)
FEDORA-2020-e9251de272 (https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CAXHCY4V3LPAAJOBCJ26ISZ4NUXQXTUZ/)
USN-4428-1 (https://usn.ubuntu.com/4428-1/)
FEDORA-2020-c3b07cc5c9 (https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/V3TALOUBYU2MQD4BPLRTDQUMBKGCAXUA/)
FEDORA-2020-aab24d3714 (https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YSL3XWVDMSMKO23HR74AJQ6VEM3C2NTS/)
FEDORA-2020-bb919e575e (https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LE4O3PNDNNOMSKHNUKZKD3NGHIFUFDPX/)
FEDORA-2020-97d775e649 (https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TOGKLGTXZLHQQFBVCAPSUDA6DOOJFNRY/)
https://security.netapp.com/advisory/ntap-20200731-0002/
FEDORA-2020-826b24c329 (https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PDKKRXLNVXRF6VGERZSR3OMQR5D5QI6I/)
FEDORA-2020-1ddd5273d6 (https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YILCHHTNLH4GG4GSQBX2MZRKZBXOLCKE/)
FEDORA-2020-87c0a0a52d (https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NTBKKOLFFNHG6CM4ACDX4APHSD5ZX5N4/)
FEDORA-2020-efb908b6a8 (https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CNHPQGSP2YM3JAUD2VAMPXTIUQTZ2M2U/)
FEDORA-2020-d808fdd597 (https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/V53P2YOLEQH4J7S5QHXMKMZYFTVVMTMO/)
FEDORA-2020-982b2950db (https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CTUNTBJ3POHONQOTLEZC46POCIYYTAKZ/)
FEDORA-2020-c539babb0a (https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/36XI3EEQNMHGOZEI63Y7UV6XZRELYEAU/)
FEDORA-2020-d30881c970 (https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OXI72HIHMXCQFWTULUXDG7VDA2BCYL4Y/)
[debian-lts-announce] 20201119 [SECURITY] [DLA 2456-1] python3.5 security update (https://lists.debian.org/debian-lts-announce/2020/11/msg00032.html)
[debian-lts-announce] 20230524 [SECURITY] [DLA 3432-1] python2.7 security update (https://lists.debian.org/debian-lts-announce/2023/05/msg00024.html)
Miscellaneous
https://www.oracle.com/security-alerts/cpujan2021.html

Additional Info

Authenticated
Unknown
Exploitable
Unknown
Reliability
Unknown
Stability
Unknown
Available Mitigations
Unknown
Shelf Life
Unknown
Userbase/Installbase
Unknown
Patch Effectiveness
Unknown
Technical Analysis