XML-RPC DoS

Warning

This resource is maintained for historical reference and does not contain the latest vulnerability info for Python.

The canonical database for vulnerabilities affecting Python is available on GitHub in the Open Source Vulnerability (OSV) format. This vulnerability can be viewed online at the Open Source Vulnerability Database.

A denial of service flaw was found in the way Simple XML-RPC Server module of Python processed client connections, that were closed prior the complete request body has been received. A remote attacker could use this flaw to cause Python Simple XML-RPC based server process to consume excessive amount of CPU.

Dates:

  • Disclosure date: 2012-02-13 (Python issue bpo-14001 reported)

Fixed In

Python issue

CVE-2012-0845 Python v2.7.2 / v3.2.2 (SimpleXMLRPCServer): DoS (excessive CPU usage) by processing malformed XMLRPC / HTTP POST request.

  • Python issue: bpo-14001
  • Creation date: 2012-02-13
  • Reporter: Jan Lieskovsky

CVE-2012-0845

SimpleXMLRPCServer.py in SimpleXMLRPCServer in Python before 2.6.8, 2.7.x before 2.7.3, 3.x before 3.1.5, and 3.2.x before 3.2.3 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via an XML-RPC POST request that contains a smaller amount of data than specified by the Content-Length header.

Timeline

Timeline using the disclosure date 2012-02-13 as reference:

  • 2012-02-13: Python issue bpo-14001 reported by Jan Lieskovsky
  • 2012-02-18 (+5 days): commit 66f3cc6 (branch 2.6)
  • 2012-02-18 (+5 days): commit ec1712a (branch 3.2)
  • 2012-04-06 (+53 days): Python 3.1.5 released
  • 2012-04-09 (+56 days): Python 2.7.3 released
  • 2012-04-10 (+57 days): Python 2.6.8 released
  • 2012-04-10 (+57 days): Python 3.2.3 released
  • 2012-09-29: Python 3.3.0 released
  • 2012-10-05 (+235 days): CVE-2012-0845 published