.. _xmlrpc-gzip-unlimited-read: xmlrpc gzip unlimited read ========================== .. warning:: This resource is maintained for historical reference and **does not contain the latest vulnerability info for Python**. The `canonical database for vulnerabilities affecting Python `_ is available on GitHub in the Open Source Vulnerability (OSV) format. This vulnerability can be viewed online at the `Open Source Vulnerability Database `_. Add a default limit for the amount of data ``xmlrpclib.gzip_decode()`` will return. Dates: * Disclosure date: **2012-09-25** (Python issue bpo-16043 reported) * `Red Hat impact `_: Moderate Fixed In -------- * Python **2.7.9** (2014-12-10) fixed by `commit 9e8f523 (branch 2.7) `_ (2014-12-06) * Python **3.3.7** (2017-09-19) fixed by `commit 4e9cefa (branch 3.2) `_ (2014-12-06) * Python **3.4.3** (2015-02-25) fixed by `commit 4e9cefa (branch 3.2) `_ (2014-12-06) * Python **3.5.0** (2015-09-12) fixed by `commit 4e9cefa (branch 3.2) `_ (2014-12-06) Python issue ------------ xmlrpc: gzip_decode has unlimited read(). * Python issue: `bpo-16043 `_ * Creation date: 2012-09-25 * Reporter: Christian Heimes CVE-2013-1753 ------------- The gzip_decode function in the xmlrpc client library in Python 3.4 and earlier allows remote attackers to cause a denial of service (memory consumption) via a crafted HTTP request. * CVE ID: `CVE-2013-1753 `_ * Published: 2020-03-11 * `CVSS Score `_: 5.0 Timeline -------- Timeline using the disclosure date **2012-09-25** as reference: * 2012-09-25: `Python issue bpo-16043 `_ reported by Christian Heimes * 2014-12-06 (**+802 days**): `commit 4e9cefa (branch 3.2) `_ * 2014-12-06 (**+802 days**): `commit 9e8f523 (branch 2.7) `_ * 2014-12-10 (**+806 days**): Python 2.7.9 released * 2015-02-25 (**+883 days**): Python 3.4.3 released * 2015-09-12: Python 3.5.0 released * 2017-09-19 (**+1820 days**): Python 3.3.7 released * 2020-03-11 (**+2724 days**): CVE-2013-1753 published Links ----- * https://access.redhat.com/security/cve/cve-2013-1753