.. _xmlrpc-dos:

XML-RPC DoS
===========

.. warning::
    This resource is maintained for historical reference and **does not contain the latest vulnerability info for Python**.

    The `canonical database for vulnerabilities affecting Python <https://github.com/psf/advisory-database>`_ is available on GitHub
    in the Open Source Vulnerability (OSV) format. This vulnerability can be viewed online at the
    `Open Source Vulnerability Database <https://osv.dev/list?ecosystem=&q=CVE-2012-0845>`_.

A denial of service flaw was found in the way Simple XML-RPC Server module
of Python processed client connections, that were closed prior the complete
request body has been received. A remote attacker could use this flaw to
cause Python Simple XML-RPC based server process to consume excessive
amount of CPU.

Dates:

* Disclosure date: **2012-02-13** (Python issue bpo-14001 reported)

Fixed In
--------

* Python **2.6.8** (2012-04-10) fixed by `commit 66f3cc6 (branch 2.6) <https://github.com/python/cpython/commit/66f3cc6f8de83c447d937160e4a1630c4482b5f5>`_ (2012-02-18)
* Python **2.7.3** (2012-04-09) fixed by `commit 66f3cc6 (branch 2.6) <https://github.com/python/cpython/commit/66f3cc6f8de83c447d937160e4a1630c4482b5f5>`_ (2012-02-18)
* Python **3.1.5** (2012-04-06) fixed by `commit ec1712a (branch 3.2) <https://github.com/python/cpython/commit/ec1712a1662282c909b4cd4cc0c7486646bc9246>`_ (2012-02-18)
* Python **3.2.3** (2012-04-10) fixed by `commit ec1712a (branch 3.2) <https://github.com/python/cpython/commit/ec1712a1662282c909b4cd4cc0c7486646bc9246>`_ (2012-02-18)
* Python **3.3.0** (2012-09-29) fixed by `commit ec1712a (branch 3.2) <https://github.com/python/cpython/commit/ec1712a1662282c909b4cd4cc0c7486646bc9246>`_ (2012-02-18)

Python issue
------------

CVE-2012-0845 Python v2.7.2 / v3.2.2 (SimpleXMLRPCServer): DoS (excessive CPU usage) by processing malformed XMLRPC / HTTP POST request.

* Python issue: `bpo-14001 <https://bugs.python.org/issue14001>`_
* Creation date: 2012-02-13
* Reporter: Jan Lieskovsky

CVE-2012-0845
-------------

SimpleXMLRPCServer.py in SimpleXMLRPCServer in Python before 2.6.8, 2.7.x before 2.7.3, 3.x before 3.1.5, and 3.2.x before 3.2.3 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via an XML-RPC POST request that contains a smaller amount of data than specified by the Content-Length header.

* CVE ID: `CVE-2012-0845 <https://nvd.nist.gov/vuln/detail/CVE-2012-0845/>`_
* Published: 2012-10-05
* `CVSS Score <https://nvd.nist.gov/cvss.cfm>`_: 5.0

Timeline
--------

Timeline using the disclosure date **2012-02-13** as reference:

* 2012-02-13: `Python issue bpo-14001 <https://bugs.python.org/issue14001>`_ reported by Jan Lieskovsky
* 2012-02-18 (**+5 days**): `commit 66f3cc6 (branch 2.6) <https://github.com/python/cpython/commit/66f3cc6f8de83c447d937160e4a1630c4482b5f5>`_
* 2012-02-18 (**+5 days**): `commit ec1712a (branch 3.2) <https://github.com/python/cpython/commit/ec1712a1662282c909b4cd4cc0c7486646bc9246>`_
* 2012-04-06 (**+53 days**): Python 3.1.5 released
* 2012-04-09 (**+56 days**): Python 2.7.3 released
* 2012-04-10 (**+57 days**): Python 2.6.8 released
* 2012-04-10 (**+57 days**): Python 3.2.3 released
* 2012-09-29: Python 3.3.0 released
* 2012-10-05 (**+235 days**): CVE-2012-0845 published