xmlrpc gzip unlimited read¶
Warning
This resource is maintained for historical reference and does not contain the latest vulnerability info for Python.
The canonical database for vulnerabilities affecting Python is available on GitHub in the Open Source Vulnerability (OSV) format. This vulnerability can be viewed online at the Open Source Vulnerability Database.
Add a default limit for the amount of data xmlrpclib.gzip_decode()
will
return.
Dates:
- Disclosure date: 2012-09-25 (Python issue bpo-16043 reported)
- Red Hat impact: Moderate
Fixed In¶
- Python 2.7.9 (2014-12-10) fixed by commit 9e8f523 (branch 2.7) (2014-12-06)
- Python 3.3.7 (2017-09-19) fixed by commit 4e9cefa (branch 3.2) (2014-12-06)
- Python 3.4.3 (2015-02-25) fixed by commit 4e9cefa (branch 3.2) (2014-12-06)
- Python 3.5.0 (2015-09-12) fixed by commit 4e9cefa (branch 3.2) (2014-12-06)
Python issue¶
xmlrpc: gzip_decode has unlimited read().
- Python issue: bpo-16043
- Creation date: 2012-09-25
- Reporter: Christian Heimes
CVE-2013-1753¶
The gzip_decode function in the xmlrpc client library in Python 3.4 and earlier allows remote attackers to cause a denial of service (memory consumption) via a crafted HTTP request.
- CVE ID: CVE-2013-1753
- Published: 2020-03-11
- CVSS Score: 5.0
Timeline¶
Timeline using the disclosure date 2012-09-25 as reference:
- 2012-09-25: Python issue bpo-16043 reported by Christian Heimes
- 2014-12-06 (+802 days): commit 4e9cefa (branch 3.2)
- 2014-12-06 (+802 days): commit 9e8f523 (branch 2.7)
- 2014-12-10 (+806 days): Python 2.7.9 released
- 2015-02-25 (+883 days): Python 3.4.3 released
- 2015-09-12: Python 3.5.0 released
- 2017-09-19 (+1820 days): Python 3.3.7 released
- 2020-03-11 (+2724 days): CVE-2013-1753 published