Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
5
CVSSv2

CVE-2019-20907

Published: 13/07/2020 Updated: 07/11/2023
CVSS v2 Base Score: 5 | Impact Score: 2.9 | Exploitability Score: 10
CVSS v3 Base Score: 7.5 | Impact Score: 3.6 | Exploitability Score: 3.9
VMScore: 446
Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P
Subscribe to Python

Vulnerability Summary

In Lib/tarfile.py in Python up to and including 3.8.3, an attacker is able to craft a TAR archive leading to an infinite loop when opened by tarfile.open, because _proc_pax lacks header validation.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

python python

opensuse leap 15.1

opensuse leap 15.2

debian debian linux 9.0

fedoraproject fedora 31

fedoraproject fedora 32

canonical ubuntu linux 16.04

canonical ubuntu linux 12.04

canonical ubuntu linux 18.04

canonical ubuntu linux 14.04

canonical ubuntu linux 20.04

netapp active iq unified manager

netapp cloud volumes ontap mediator -

oracle zfs storage appliance kit 8.8

Vendor Advisories

Debian CVElist Bug Report Logs: CVE-2019-20907 CVE-2020-8492
Debian Bug report logs - #970099 CVE-2019-20907 CVE-2020-8492 Package: python27; Maintainer for python27 is Matthias Klose <doko@debianorg>; Source for python27 is src:python27 (PTS, buildd, popcon) Reported by: Moritz Muehlenhoff <jmm@debianorg> Date: Fri, 11 Sep 2020 17:33:01 UTC Severity: important Tags: se ...
Red Hat: Moderate: python3 security update
Synopsis Moderate: python3 security update Type/Severity Security Advisory: Moderate Topic An update for python3 is now available for Red Hat Enterprise Linux 7Red Hat Product Security has rated this update as having a security impact of Moderate A Common Vulnerability Scoring System (CVSS) base score, wh ...
Red Hat: Moderate: python3 security and bug fix update
Synopsis Moderate: python3 security and bug fix update Type/Severity Security Advisory: Moderate Topic An update for python3 is now available for Red Hat Enterprise Linux 8Red Hat Product Security has rated this update as having a security impact of Moderate A Common Vulnerability Scoring System (CVSS) ba ...
Red Hat: Moderate: python38:3.8 security, bug fix, and enhancement update
Synopsis Moderate: python38:38 security, bug fix, and enhancement update Type/Severity Security Advisory: Moderate Topic An update for the python38:38 module is now available for Red Hat Enterprise Linux 8Red Hat Product Security has rated this update as having a security impact of Moderate A Common Vul ...
Red Hat: Moderate: python security update
Synopsis Moderate: python security update Type/Severity Security Advisory: Moderate Topic An update for python is now available for Red Hat Enterprise Linux 7Red Hat Product Security has rated this update as having a security impact of Moderate A Common Vulnerability Scoring System (CVSS) base score, whic ...
Red Hat: Moderate: python27:2.7 security update
Synopsis Moderate: python27:27 security update Type/Severity Security Advisory: Moderate Topic An update for the python27:27 module is now available for Red Hat Enterprise Linux 8Red Hat Product Security has rated this update as having a security impact of Moderate A Common Vulnerability Scoring System ...
Red Hat: Moderate: OpenShift Container Platform 4.5.23 security and bug fix update
Synopsis Moderate: OpenShift Container Platform 4523 security and bug fix update Type/Severity Security Advisory: Moderate Topic Red Hat OpenShift Container Platform release 4523 is now available with updates to packages and images that fix several bugsThis release includes a security update for Kubern ...
Red Hat: Moderate: rh-python36 security, bug fix, and enhancement update
Synopsis Moderate: rh-python36 security, bug fix, and enhancement update Type/Severity Security Advisory: Moderate Topic An update for rh-python36-python, rh-python36-python-pip, and rh-python36-python-virtualenv is now available for Red Hat Software CollectionsRed Hat Product Security has rated this updat ...
Red Hat: Moderate: python27 security, bug fix, and enhancement update
Synopsis Moderate: python27 security, bug fix, and enhancement update Type/Severity Security Advisory: Moderate Topic An update for python27-python, python27-python-pip, and python27-python-virtualenv is now available for Red Hat Software CollectionsRed Hat Product Security has rated this update as having ...
Red Hat: Moderate: rh-python38 security, bug fix, and enhancement update
Synopsis Moderate: rh-python38 security, bug fix, and enhancement update Type/Severity Security Advisory: Moderate Topic An update for rh-python38-python, rh-python38-python-psutil, and rh-python38-python-urllib3 is now available for Red Hat Software CollectionsRed Hat Product Security has rated this updat ...
Red Hat: Moderate: Release of OpenShift Serverless 1.11.0
Synopsis Moderate: Release of OpenShift Serverless 1110 Type/Severity Security Advisory: Moderate Topic Release of OpenShift Serverless 1110 Description Red Hat OpenShift Serverless 1110 is a generally available release of theOpenShift Serverless Operator This version of the OpenShif ...
Red Hat: Moderate: OpenShift Container Platform 4.6 compliance-operator security and bug fix update
Synopsis Moderate: OpenShift Container Platform 46 compliance-operator security and bug fix update Type/Severity Security Advisory: Moderate Topic An update for compliance-content-container, ose-compliance-openscap-container, ose-compliance-operator-container, and ose-compliance-operator-metadata-container ...
Red Hat: Moderate: OpenShift Container Platform 4.5.20 bug fix and golang security update
Synopsis Moderate: OpenShift Container Platform 4520 bug fix and golang security update Type/Severity Security Advisory: Moderate Topic Red Hat OpenShift Container Platform release 4520 is now available with updates to packages and images that fix several bugsThis release includes a security update for ...
Red Hat: Moderate: Red Hat Quay v3.3.3 bug fix and security update
Synopsis Moderate: Red Hat Quay v333 bug fix and security update Type/Severity Security Advisory: Moderate Topic Red Hat Quay v333 is now available with bug fixes and security updatesRed Hat Product Security has rated this update as having a security impact of Moderate A Common Vulnerability Scoring S ...
Red Hat: Moderate: OpenShift Container Platform 4.6 compliance-operator security and bug fix update
Synopsis Moderate: OpenShift Container Platform 46 compliance-operator security and bug fix update Type/Severity Security Advisory: Moderate Topic An update for compliance-content-container, ose-compliance-openscap-container, ose-compliance-operator-container, and ose-compliance-operator-metadata-container ...
Red Hat: Moderate: Red Hat OpenShift Container Storage 4.6.0 security, bug fix, enhancement update
Synopsis Moderate: Red Hat OpenShift Container Storage 460 security, bug fix, enhancement update Type/Severity Security Advisory: Moderate Topic Updated images are now available for Red Hat OpenShift Container Storage 460 on Red Hat Enterprise Linux 8Red Hat Product Security has rated this update as ha ...
Amazon Linux 2: ALAS2-2020-1484
Lib/ipaddresspy in Python through 383 improperly computes hash values in the IPv4Interface and IPv6Interface classes, which might allow a remote attacker to cause a denial of service if an application is affected by the performance of a dictionary containing IPv4Interface or IPv6Interface objects, and this attacker can cause many dictionary entr ...
Amazon Linux 2: ALAS2-2020-1483
In Lib/tarfilepy in Python through 383, an attacker is able to craft a TAR archive leading to an infinite loop when opened by tarfileopen, because _proc_pax lacks header validation (CVE-2019-20907) ...
Amazon Linux 2: ALASPYTHON3.8-2023-008
A flaw was found in python In Lib/tarfilepy an attacker is able to craft a TAR archive leading to an infinite loop when opened by tarfileopen, because _proc_pax lacks header validation (CVE-2019-20907) A vulnerability was found in the way the ipaddress python module computes hash values in the IPv4Interface and IPv6Interface classes This flaw ...
Amazon Linux AMI: ALAS-2020-1428
In Lib/tarfilepy in Python through 383, an attacker is able to craft a TAR archive leading to an infinite loop when opened by tarfileopen, because _proc_pax lacks header validation (CVE-2019-20907) An issue was discovered in urllib2 in Python 2x through 2717 and urllib in Python 3x through 380 CRLF injection is possible if the attacker ...
Amazon Linux AMI: ALAS-2020-1429
In Lib/tarfilepy in Python through 383, an attacker is able to craft a TAR archive leading to an infinite loop when opened by tarfileopen, because _proc_pax lacks header validation (CVE-2019-20907) An issue was discovered in urllib2 in Python 2x through 2717 and urllib in Python 3x through 380 CRLF injection is possible if the attacker ...
Amazon Linux AMI: ALAS-2020-1427
In Lib/tarfilepy in Python through 383, an attacker is able to craft a TAR archive leading to an infinite loop when opened by tarfileopen, because _proc_pax lacks header validation (CVE-2019-20907) ...
Arch Linux Issues:
In Lib/tarfilepy in Python through 383, an attacker is able to craft a TAR archive leading to an infinite loop when opened by tarfileopen, because _proc_pax lacks header validation ...

ICS Advisories

https://ics-cert.us-cert.gov/advisories/fd87a3fc00e025fdc5034360097d2bdf
Critical Infrastructure Sectors: Critical Manufacturing

Github Repositories

https://github.com/kinners00/yum

Tasks enabling remediation of vulnerabilities as well as installation, updating and removal of packages via yum

yum_tasks Table of Contents Description Bolt Quickstart Gotchas/Limitations Tasks advisory cve security install remove update update_all update_cache Plans security_cache package_cache Contributions - Guide for contributing to the module Description These tasks help interact with yum at various levels via Puppet Bolt or Puppet Enterprise tasks Bolt Quickstart If you�

https://github.com/kinners00/yum_tasks

Tasks enabling remediation of vulnerabilities as well as installation, updating and removal of packages via yum

yum_tasks Table of Contents Description Bolt Quickstart Gotchas/Limitations Tasks advisory cve security install remove update update_all update_cache Plans security_cache package_cache Contributions - Guide for contributing to the module Description These tasks help interact with yum at various levels via Puppet Bolt or Puppet Enterprise tasks Bolt Quickstart If you�

References

CWE-835https://bugs.python.org/issue39017https://github.com/python/cpython/pull/21454https://usn.ubuntu.com/4428-1/https://security.netapp.com/advisory/ntap-20200731-0002/https://security.gentoo.org/glsa/202008-01https://lists.debian.org/debian-lts-announce/2020/08/msg00034.htmlhttp://lists.opensuse.org/opensuse-security-announce/2020-08/msg00051.htmlhttp://lists.opensuse.org/opensuse-security-announce/2020-08/msg00052.htmlhttp://lists.opensuse.org/opensuse-security-announce/2020-08/msg00053.htmlhttp://lists.opensuse.org/opensuse-security-announce/2020-08/msg00056.htmlhttps://lists.debian.org/debian-lts-announce/2020/11/msg00032.htmlhttps://www.oracle.com/security-alerts/cpujan2021.htmlhttps://lists.debian.org/debian-lts-announce/2023/05/msg00024.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VT4AF72TJ2XNIKCR4WEBR7URBJJ4YZRD/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CAXHCY4V3LPAAJOBCJ26ISZ4NUXQXTUZ/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/V3TALOUBYU2MQD4BPLRTDQUMBKGCAXUA/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YSL3XWVDMSMKO23HR74AJQ6VEM3C2NTS/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LE4O3PNDNNOMSKHNUKZKD3NGHIFUFDPX/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TOGKLGTXZLHQQFBVCAPSUDA6DOOJFNRY/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PDKKRXLNVXRF6VGERZSR3OMQR5D5QI6I/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YILCHHTNLH4GG4GSQBX2MZRKZBXOLCKE/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NTBKKOLFFNHG6CM4ACDX4APHSD5ZX5N4/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CNHPQGSP2YM3JAUD2VAMPXTIUQTZ2M2U/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/V53P2YOLEQH4J7S5QHXMKMZYFTVVMTMO/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CTUNTBJ3POHONQOTLEZC46POCIYYTAKZ/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/36XI3EEQNMHGOZEI63Y7UV6XZRELYEAU/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OXI72HIHMXCQFWTULUXDG7VDA2BCYL4Y/https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=970099https://nvd.nist.govhttps://github.com/kinners00/yumhttps://www.cisa.gov/news-events/ics-advisories/icsa-23-348-10https://alas.aws.amazon.com/AL2/ALAS-2020-1484.html
CVSSv2
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2023-3675CVE-2024-3400CVE-2024-23557mass assignmentCVE-2023-1389local file inclusionCVE-2024-32596file uploadCVE-2024-32593
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook