CVE-2019-20907

MEDIUM

Description

In Lib/tarfile.py in Python through 3.8.3, an attacker is able to craft a TAR archive leading to an infinite loop when opened by tarfile.open, because _proc_pax lacks header validation.

References

http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00051.html

http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00052.html

http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00053.html

http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00056.html

https://bugs.python.org/issue39017

https://github.com/python/cpython/pull/21454

https://lists.debian.org/debian-lts-announce/2020/08/msg00034.html

https://lists.debian.org/debian-lts-announce/2020/11/msg00032.html

https://lists.fedoraproject.org/archives/list/[email protected]/message/36XI3EEQNMHGOZEI63Y7UV6XZRELYEAU/

https://lists.fedoraproject.org/archives/list/[email protected]/message/CAXHCY4V3LPAAJOBCJ26ISZ4NUXQXTUZ/

https://lists.fedoraproject.org/archives/list/[email protected]/message/CNHPQGSP2YM3JAUD2VAMPXTIUQTZ2M2U/

https://lists.fedoraproject.org/archives/list/[email protected]/message/CTUNTBJ3POHONQOTLEZC46POCIYYTAKZ/

https://lists.fedoraproject.org/archives/list/[email protected]/message/LE4O3PNDNNOMSKHNUKZKD3NGHIFUFDPX/

https://lists.fedoraproject.org/archives/list/[email protected]/message/NTBKKOLFFNHG6CM4ACDX4APHSD5ZX5N4/

https://lists.fedoraproject.org/archives/list/[email protected]/message/OXI72HIHMXCQFWTULUXDG7VDA2BCYL4Y/

https://lists.fedoraproject.org/archives/list/[email protected]/message/PDKKRXLNVXRF6VGERZSR3OMQR5D5QI6I/

https://lists.fedoraproject.org/archives/list/[email protected]/message/TOGKLGTXZLHQQFBVCAPSUDA6DOOJFNRY/

https://lists.fedoraproject.org/archives/list/[email protected]/message/V3TALOUBYU2MQD4BPLRTDQUMBKGCAXUA/

https://lists.fedoraproject.org/archives/list/[email protected]/message/V53P2YOLEQH4J7S5QHXMKMZYFTVVMTMO/

https://lists.fedoraproject.org/archives/list/[email protected]/message/VT4AF72TJ2XNIKCR4WEBR7URBJJ4YZRD/

https://lists.fedoraproject.org/archives/list/[email protected]/message/YILCHHTNLH4GG4GSQBX2MZRKZBXOLCKE/

https://lists.fedoraproject.org/archives/list/[email protected]/message/YSL3XWVDMSMKO23HR74AJQ6VEM3C2NTS/

https://security.gentoo.org/glsa/202008-01

https://security.netapp.com/advisory/ntap-20200731-0002/

https://usn.ubuntu.com/4428-1/

https://www.oracle.com/security-alerts/cpujan2021.html

Details

Source: MITRE

Published: 2020-07-13

Updated: 2021-01-20

Type: CWE-20

Risk Information

CVSS v2.0

Base Score: 5

Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P

Impact Score: 2.9

Exploitability Score: 10

Severity: MEDIUM

CVSS v3.0

Base Score: 7.5

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Impact Score: 3.6

Exploitability Score: 3.9

Severity: HIGH

Tenable Plugins

View all (75 total)

IDNameProductFamilySeverity
148008Ubuntu 18.04 LTS / 20.04 LTS : Python vulnerabilities (USN-4754-3)NessusUbuntu Local Security Checks
high
147826RHEL 7 : python (RHSA-2021:0881)NessusRed Hat Local Security Checks
medium
147485EulerOS : python3 (EulerOS-SA-2021-1623)NessusHuawei Local Security Checks
high
147364NewStart CGSL MAIN 6.02 : python3 Multiple Vulnerabilities (NS-SA-2021-0059)NessusNewStart CGSL Local Security Checks
medium
147311NewStart CGSL CORE 5.04 / MAIN 5.04 : python Vulnerability (NS-SA-2021-0015)NessusNewStart CGSL Local Security Checks
medium
147302NewStart CGSL CORE 5.04 / MAIN 5.04 : python3 Multiple Vulnerabilities (NS-SA-2021-0029)NessusNewStart CGSL Local Security Checks
medium
147211RHEL 7 : python (RHSA-2021:0761)NessusRed Hat Local Security Checks
medium
146545RHEL 7 : python (RHSA-2021:0528)NessusRed Hat Local Security Checks
medium
146036CentOS 8 : python38:3.8 (CESA-2020:4641)NessusCentOS Local Security Checks
critical
146020CentOS 8 : python27:2.7 (CESA-2020:4654)NessusCentOS Local Security Checks
medium
145883CentOS 8 : python3 (CESA-2020:4433)NessusCentOS Local Security Checks
medium
145389openSUSE Security Update : python3 (openSUSE-2020-2333)NessusSuSE Local Security Checks
high
145326openSUSE Security Update : python3 (openSUSE-2020-2332)NessusSuSE Local Security Checks
high
144586SUSE SLED15 / SLES15 Security Update : python3 (SUSE-SU-2020:3930-1)NessusSuSE Local Security Checks
high
143782SUSE SLES12 Security Update : python3 (SUSE-SU-2020:2699-1)NessusSuSE Local Security Checks
medium
143646SUSE SLES12 Security Update : python36 (SUSE-SU-2020:3563-1)NessusSuSE Local Security Checks
medium
143104Debian DLA-2456-1 : python3.5 security updateNessusDebian Local Security Checks
medium
143048CentOS 7 : python3 (CESA-2020:5010)NessusCentOS Local Security Checks
medium
143046CentOS 7 : python (CESA-2020:5009)NessusCentOS Local Security Checks
medium
142898Oracle Linux 7 : python (ELSA-2020-5009)NessusOracle Linux Local Security Checks
medium
142823Scientific Linux Security Update : python on SL7.x i686/x86_64 (2020:5009)NessusScientific Linux Local Security Checks
medium
142819Scientific Linux Security Update : python3 on SL7.x i686/x86_64 (2020:5010)NessusScientific Linux Local Security Checks
medium
142786Oracle Linux 8 : python3 (ELSA-2020-4433)NessusOracle Linux Local Security Checks
medium
142745Oracle Linux 7 : python3 (ELSA-2020-5010)NessusOracle Linux Local Security Checks
medium
142699RHEL 7 : python (RHSA-2020:5009)NessusRed Hat Local Security Checks
medium
142696RHEL 7 : python3 (RHSA-2020:5010)NessusRed Hat Local Security Checks
medium
142531EulerOS Virtualization 3.0.6.6 : python (EulerOS-SA-2020-2471)NessusHuawei Local Security Checks
medium
142431RHEL 8 : python38:3.8 (RHSA-2020:4641)NessusRed Hat Local Security Checks
critical
142407RHEL 8 : python27:2.7 (RHSA-2020:4654)NessusRed Hat Local Security Checks
medium
142400RHEL 8 : python3 (RHSA-2020:4433)NessusRed Hat Local Security Checks
medium
142308EulerOS 2.0 SP2 : python (EulerOS-SA-2020-2388)NessusHuawei Local Security Checks
medium
142087EulerOS 2.0 SP5 : python (EulerOS-SA-2020-2264)NessusHuawei Local Security Checks
medium
141521Fedora 32 : python34 (2020-d30881c970)NessusFedora Local Security Checks
medium
140862EulerOS 2.0 SP3 : python (EulerOS-SA-2020-2095)NessusHuawei Local Security Checks
medium
140678FreeBSD : Python -- multiple vulnerabilities (2cb21232-fb32-11ea-a929-a4bf014bf5f7)NessusFreeBSD Local Security Checks
medium
140321EulerOS Virtualization for ARM 64 3.0.2.0 : python (EulerOS-SA-2020-1951)NessusHuawei Local Security Checks
medium
140198Amazon Linux 2 : python (ALAS-2020-1483)NessusAmazon Linux Local Security Checks
medium
140195Amazon Linux 2 : python3 (ALAS-2020-1484)NessusAmazon Linux Local Security Checks
medium
140089Amazon Linux AMI : python34 (ALAS-2020-1429)NessusAmazon Linux Local Security Checks
medium
140087Amazon Linux AMI : python36 (ALAS-2020-1428)NessusAmazon Linux Local Security Checks
medium
140085Amazon Linux AMI : python27 (ALAS-2020-1427)NessusAmazon Linux Local Security Checks
medium
140005EulerOS Virtualization for ARM 64 3.0.6.0 : python2 (EulerOS-SA-2020-1902)NessusHuawei Local Security Checks
medium
140003EulerOS Virtualization for ARM 64 3.0.6.0 : python3 (EulerOS-SA-2020-1900)NessusHuawei Local Security Checks
medium
139903openSUSE Security Update : python3 (openSUSE-2020-1265)NessusSuSE Local Security Checks
medium
139898openSUSE Security Update : python3 (openSUSE-2020-1258)NessusSuSE Local Security Checks
medium
139897openSUSE Security Update : python (openSUSE-2020-1257)NessusSuSE Local Security Checks
medium
139780openSUSE Security Update : python (openSUSE-2020-1254)NessusSuSE Local Security Checks
medium
139762Fedora 31 : python35 (2020-c539babb0a)NessusFedora Local Security Checks
medium
139757Debian DLA-2337-1 : python2.7 security updateNessusDebian Local Security Checks
medium
139723SUSE SLED15 / SLES15 Security Update : python3 (SUSE-SU-2020:2277-1)NessusSuSE Local Security Checks
medium
139722SUSE SLED15 / SLES15 Security Update : python (SUSE-SU-2020:2276-1)NessusSuSE Local Security Checks
medium
139721SUSE SLES12 Security Update : python (SUSE-SU-2020:2275-1)NessusSuSE Local Security Checks
medium
139635Fedora 32 : python35 (2020-982b2950db)NessusFedora Local Security Checks
medium
139588Fedora 31 : python3 (2020-d808fdd597)NessusFedora Local Security Checks
medium
139566SUSE SLES12 Security Update : python36 (SUSE-SU-2020:2216-1)NessusSuSE Local Security Checks
medium
139527Fedora 31 : python36 (2020-efb908b6a8)NessusFedora Local Security Checks
medium
139345Fedora 32 : python37 (2020-87c0a0a52d)NessusFedora Local Security Checks
medium
139344Fedora 31 : python2 (2020-826b24c329)NessusFedora Local Security Checks
medium
139343Fedora 32 : python36 (2020-1ddd5273d6)NessusFedora Local Security Checks
medium
139274GLSA-202008-01 : Python: Multiple vulnerabilitiesNessusGentoo Local Security Checks
medium
139217Fedora 32 : python3 / python3-docs (2020-c3b07cc5c9)NessusFedora Local Security Checks
medium
139216Fedora 31 : python38 (2020-bb919e575e)NessusFedora Local Security Checks
medium
139215Fedora 31 : python39 (2020-aab24d3714)NessusFedora Local Security Checks
medium
139214Fedora 32 : python39 (2020-97d775e649)NessusFedora Local Security Checks
medium
139153EulerOS 2.0 SP8 : python3 (EulerOS-SA-2020-1823)NessusHuawei Local Security Checks
medium
139152EulerOS 2.0 SP8 : python2 (EulerOS-SA-2020-1822)NessusHuawei Local Security Checks
medium
139058Photon OS 2.0: Python3 PHSA-2020-2.0-0265NessusPhotonOS Local Security Checks
medium
139057Photon OS 2.0: Python2 PHSA-2020-2.0-0265NessusPhotonOS Local Security Checks
medium
139051Photon OS 1.0: Python3 PHSA-2020-1.0-0309NessusPhotonOS Local Security Checks
medium
139050Photon OS 1.0: Python2 PHSA-2020-1.0-0309NessusPhotonOS Local Security Checks
medium
139045Photon OS 3.0: Python3 PHSA-2020-3.0-0118NessusPhotonOS Local Security Checks
medium
139044Photon OS 3.0: Python2 PHSA-2020-3.0-0118NessusPhotonOS Local Security Checks
medium
138921Fedora 32 : python27 (2020-e9251de272)NessusFedora Local Security Checks
medium
138872Ubuntu 16.04 LTS / 18.04 LTS / 20.04 : Python vulnerabilities (USN-4428-1)NessusUbuntu Local Security Checks
medium
138867Fedora 32 : mingw-python3 (2020-dfb11916cc)NessusFedora Local Security Checks
medium