CVE-2019-20907MEDIUM
Description
In Lib/tarfile.py in Python through 3.8.3, an attacker is able to craft a TAR archive leading to an infinite loop when opened by tarfile.open, because _proc_pax lacks header validation.
References
http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00051.html
http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00052.html
http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00053.html
http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00056.html
https://bugs.python.org/issue39017
https://github.com/python/cpython/pull/21454
https://lists.debian.org/debian-lts-announce/2020/08/msg00034.html
https://lists.debian.org/debian-lts-announce/2020/11/msg00032.html
https://security.gentoo.org/glsa/202008-01
https://security.netapp.com/advisory/ntap-20200731-0002/
Details
Source: MITRE
Published: 2020-07-13
Updated: 2021-01-20
Type: CWE-20
Risk Information
CVSS v2.0
Base Score: 5
Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P
Impact Score: 2.9
Exploitability Score: 10
Severity: MEDIUM
CVSS v3.0
Base Score: 7.5
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Impact Score: 3.6
Exploitability Score: 3.9
Severity: HIGH
Vulnerable Software
Configuration 1
OR
Configuration 2
OR
Configuration 3
OR
Configuration 4
OR
Configuration 5
OR
cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:esm:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:esm:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*
Configuration 6
OR
cpe:2.3:a:netapp:active_iq_unified_manager:*:*:*:*:*:vsphere:*:*
cpe:2.3:a:netapp:cloud_volumes_ontap_mediator:-:*:*:*:*:*:*:*
Tenable Plugins
| ID | Name | Product | Family | Severity |
|---|---|---|---|---|
| 148008 | Ubuntu 18.04 LTS / 20.04 LTS : Python vulnerabilities (USN-4754-3) | Nessus | Ubuntu Local Security Checks | high |
| 147826 | RHEL 7 : python (RHSA-2021:0881) | Nessus | Red Hat Local Security Checks | medium |
| 147485 | EulerOS : python3 (EulerOS-SA-2021-1623) | Nessus | Huawei Local Security Checks | high |
| 147364 | NewStart CGSL MAIN 6.02 : python3 Multiple Vulnerabilities (NS-SA-2021-0059) | Nessus | NewStart CGSL Local Security Checks | medium |
| 147311 | NewStart CGSL CORE 5.04 / MAIN 5.04 : python Vulnerability (NS-SA-2021-0015) | Nessus | NewStart CGSL Local Security Checks | medium |
| 147302 | NewStart CGSL CORE 5.04 / MAIN 5.04 : python3 Multiple Vulnerabilities (NS-SA-2021-0029) | Nessus | NewStart CGSL Local Security Checks | medium |
| 147211 | RHEL 7 : python (RHSA-2021:0761) | Nessus | Red Hat Local Security Checks | medium |
| 146545 | RHEL 7 : python (RHSA-2021:0528) | Nessus | Red Hat Local Security Checks | medium |
| 146036 | CentOS 8 : python38:3.8 (CESA-2020:4641) | Nessus | CentOS Local Security Checks | critical |
| 146020 | CentOS 8 : python27:2.7 (CESA-2020:4654) | Nessus | CentOS Local Security Checks | medium |
| 145883 | CentOS 8 : python3 (CESA-2020:4433) | Nessus | CentOS Local Security Checks | medium |
| 145389 | openSUSE Security Update : python3 (openSUSE-2020-2333) | Nessus | SuSE Local Security Checks | high |
| 145326 | openSUSE Security Update : python3 (openSUSE-2020-2332) | Nessus | SuSE Local Security Checks | high |
| 144586 | SUSE SLED15 / SLES15 Security Update : python3 (SUSE-SU-2020:3930-1) | Nessus | SuSE Local Security Checks | high |
| 143782 | SUSE SLES12 Security Update : python3 (SUSE-SU-2020:2699-1) | Nessus | SuSE Local Security Checks | medium |
| 143646 | SUSE SLES12 Security Update : python36 (SUSE-SU-2020:3563-1) | Nessus | SuSE Local Security Checks | medium |
| 143104 | Debian DLA-2456-1 : python3.5 security update | Nessus | Debian Local Security Checks | medium |
| 143048 | CentOS 7 : python3 (CESA-2020:5010) | Nessus | CentOS Local Security Checks | medium |
| 143046 | CentOS 7 : python (CESA-2020:5009) | Nessus | CentOS Local Security Checks | medium |
| 142898 | Oracle Linux 7 : python (ELSA-2020-5009) | Nessus | Oracle Linux Local Security Checks | medium |
| 142823 | Scientific Linux Security Update : python on SL7.x i686/x86_64 (2020:5009) | Nessus | Scientific Linux Local Security Checks | medium |
| 142819 | Scientific Linux Security Update : python3 on SL7.x i686/x86_64 (2020:5010) | Nessus | Scientific Linux Local Security Checks | medium |
| 142786 | Oracle Linux 8 : python3 (ELSA-2020-4433) | Nessus | Oracle Linux Local Security Checks | medium |
| 142745 | Oracle Linux 7 : python3 (ELSA-2020-5010) | Nessus | Oracle Linux Local Security Checks | medium |
| 142699 | RHEL 7 : python (RHSA-2020:5009) | Nessus | Red Hat Local Security Checks | medium |
| 142696 | RHEL 7 : python3 (RHSA-2020:5010) | Nessus | Red Hat Local Security Checks | medium |
| 142531 | EulerOS Virtualization 3.0.6.6 : python (EulerOS-SA-2020-2471) | Nessus | Huawei Local Security Checks | medium |
| 142431 | RHEL 8 : python38:3.8 (RHSA-2020:4641) | Nessus | Red Hat Local Security Checks | critical |
| 142407 | RHEL 8 : python27:2.7 (RHSA-2020:4654) | Nessus | Red Hat Local Security Checks | medium |
| 142400 | RHEL 8 : python3 (RHSA-2020:4433) | Nessus | Red Hat Local Security Checks | medium |
| 142308 | EulerOS 2.0 SP2 : python (EulerOS-SA-2020-2388) | Nessus | Huawei Local Security Checks | medium |
| 142087 | EulerOS 2.0 SP5 : python (EulerOS-SA-2020-2264) | Nessus | Huawei Local Security Checks | medium |
| 141521 | Fedora 32 : python34 (2020-d30881c970) | Nessus | Fedora Local Security Checks | medium |
| 140862 | EulerOS 2.0 SP3 : python (EulerOS-SA-2020-2095) | Nessus | Huawei Local Security Checks | medium |
| 140678 | FreeBSD : Python -- multiple vulnerabilities (2cb21232-fb32-11ea-a929-a4bf014bf5f7) | Nessus | FreeBSD Local Security Checks | medium |
| 140321 | EulerOS Virtualization for ARM 64 3.0.2.0 : python (EulerOS-SA-2020-1951) | Nessus | Huawei Local Security Checks | medium |
| 140198 | Amazon Linux 2 : python (ALAS-2020-1483) | Nessus | Amazon Linux Local Security Checks | medium |
| 140195 | Amazon Linux 2 : python3 (ALAS-2020-1484) | Nessus | Amazon Linux Local Security Checks | medium |
| 140089 | Amazon Linux AMI : python34 (ALAS-2020-1429) | Nessus | Amazon Linux Local Security Checks | medium |
| 140087 | Amazon Linux AMI : python36 (ALAS-2020-1428) | Nessus | Amazon Linux Local Security Checks | medium |
| 140085 | Amazon Linux AMI : python27 (ALAS-2020-1427) | Nessus | Amazon Linux Local Security Checks | medium |
| 140005 | EulerOS Virtualization for ARM 64 3.0.6.0 : python2 (EulerOS-SA-2020-1902) | Nessus | Huawei Local Security Checks | medium |
| 140003 | EulerOS Virtualization for ARM 64 3.0.6.0 : python3 (EulerOS-SA-2020-1900) | Nessus | Huawei Local Security Checks | medium |
| 139903 | openSUSE Security Update : python3 (openSUSE-2020-1265) | Nessus | SuSE Local Security Checks | medium |
| 139898 | openSUSE Security Update : python3 (openSUSE-2020-1258) | Nessus | SuSE Local Security Checks | medium |
| 139897 | openSUSE Security Update : python (openSUSE-2020-1257) | Nessus | SuSE Local Security Checks | medium |
| 139780 | openSUSE Security Update : python (openSUSE-2020-1254) | Nessus | SuSE Local Security Checks | medium |
| 139762 | Fedora 31 : python35 (2020-c539babb0a) | Nessus | Fedora Local Security Checks | medium |
| 139757 | Debian DLA-2337-1 : python2.7 security update | Nessus | Debian Local Security Checks | medium |
| 139723 | SUSE SLED15 / SLES15 Security Update : python3 (SUSE-SU-2020:2277-1) | Nessus | SuSE Local Security Checks | medium |
| 139722 | SUSE SLED15 / SLES15 Security Update : python (SUSE-SU-2020:2276-1) | Nessus | SuSE Local Security Checks | medium |
| 139721 | SUSE SLES12 Security Update : python (SUSE-SU-2020:2275-1) | Nessus | SuSE Local Security Checks | medium |
| 139635 | Fedora 32 : python35 (2020-982b2950db) | Nessus | Fedora Local Security Checks | medium |
| 139588 | Fedora 31 : python3 (2020-d808fdd597) | Nessus | Fedora Local Security Checks | medium |
| 139566 | SUSE SLES12 Security Update : python36 (SUSE-SU-2020:2216-1) | Nessus | SuSE Local Security Checks | medium |
| 139527 | Fedora 31 : python36 (2020-efb908b6a8) | Nessus | Fedora Local Security Checks | medium |
| 139345 | Fedora 32 : python37 (2020-87c0a0a52d) | Nessus | Fedora Local Security Checks | medium |
| 139344 | Fedora 31 : python2 (2020-826b24c329) | Nessus | Fedora Local Security Checks | medium |
| 139343 | Fedora 32 : python36 (2020-1ddd5273d6) | Nessus | Fedora Local Security Checks | medium |
| 139274 | GLSA-202008-01 : Python: Multiple vulnerabilities | Nessus | Gentoo Local Security Checks | medium |
| 139217 | Fedora 32 : python3 / python3-docs (2020-c3b07cc5c9) | Nessus | Fedora Local Security Checks | medium |
| 139216 | Fedora 31 : python38 (2020-bb919e575e) | Nessus | Fedora Local Security Checks | medium |
| 139215 | Fedora 31 : python39 (2020-aab24d3714) | Nessus | Fedora Local Security Checks | medium |
| 139214 | Fedora 32 : python39 (2020-97d775e649) | Nessus | Fedora Local Security Checks | medium |
| 139153 | EulerOS 2.0 SP8 : python3 (EulerOS-SA-2020-1823) | Nessus | Huawei Local Security Checks | medium |
| 139152 | EulerOS 2.0 SP8 : python2 (EulerOS-SA-2020-1822) | Nessus | Huawei Local Security Checks | medium |
| 139058 | Photon OS 2.0: Python3 PHSA-2020-2.0-0265 | Nessus | PhotonOS Local Security Checks | medium |
| 139057 | Photon OS 2.0: Python2 PHSA-2020-2.0-0265 | Nessus | PhotonOS Local Security Checks | medium |
| 139051 | Photon OS 1.0: Python3 PHSA-2020-1.0-0309 | Nessus | PhotonOS Local Security Checks | medium |
| 139050 | Photon OS 1.0: Python2 PHSA-2020-1.0-0309 | Nessus | PhotonOS Local Security Checks | medium |
| 139045 | Photon OS 3.0: Python3 PHSA-2020-3.0-0118 | Nessus | PhotonOS Local Security Checks | medium |
| 139044 | Photon OS 3.0: Python2 PHSA-2020-3.0-0118 | Nessus | PhotonOS Local Security Checks | medium |
| 138921 | Fedora 32 : python27 (2020-e9251de272) | Nessus | Fedora Local Security Checks | medium |
| 138872 | Ubuntu 16.04 LTS / 18.04 LTS / 20.04 : Python vulnerabilities (USN-4428-1) | Nessus | Ubuntu Local Security Checks | medium |
| 138867 | Fedora 32 : mingw-python3 (2020-dfb11916cc) | Nessus | Fedora Local Security Checks | medium |