`python-multipart` is a streaming multipart parser for Python. When using form data, `python-multipart` uses a Regular Expression to parse the HTTP `Content-Type` header, including options. An attacker could send a custom-made `Content-Type` option that is very difficult for the RegEx to process, consuming CPU resources and stalling indefinitely (minutes or more) while holding the main event loop. This means that process can't handle any more requests, leading to regular expression denial of service. This vulnerability has been patched in version 0.0.7.

The remote Ubuntu 22.04 LTS / 24.04 LTS host has a package installed that is affected by multiple vulnerabilities as referenced in the USN-8027-1 advisory.

    It was discovered that Python-Multipart incorrectly handled certain

    regular expressions. An attacker could possibly use this issue to cause Python-Multipart to consume     excessive resources, leading to a regular

    expression denial of service. This issue only affected Ubuntu 22.04 LTS. (CVE-2024-24762)

    It was discovered that Python-Multipart did not properly sanitize line breaks during user input. An     attacker could use this issue to send

    arbitrary input, thus preventing other requests from being processed,

    resulting in a denial of service. This issue was only fixed in

    Ubuntu 24.04 LTS. (CVE-2024-53981)

    It was discovered that Python-Multipart was vulnerable to path traversal attacks. An attacker could     possibly craft and upload files outside the

    target directory, resulting in remote code execution. (CVE-2026-24486)

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available.

  - `python-multipart` is a streaming multipart parser for Python. When using form data, `python-multipart`     uses a Regular Expression to parse the HTTP `Content-Type` header, including options. An attacker could     send a custom-made `Content-Type` option that is very difficult for the RegEx to process, consuming CPU     resources and stalling indefinitely (minutes or more) while holding the main event loop. This means that     process can't handle any more requests, leading to regular expression denial of service. This     vulnerability has been patched in version 0.0.7. (CVE-2024-24762)

Note that Nessus relies on the presence of the package as reported by the vendor.

The remote Fedora 40 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2024-0396ef82cd advisory.

    Automatic update for python-fastapi-0.109.1-1.fc40.

    ##### **Changelog**

    ```
    * Thu Feb  8 2024 Packit <hello@packit.dev> - 0.109.1-1
    - [packit] 0.109.1 upstream release
    - Resolves rhbz#2262507, resolves rhbz#2262844

    ```

Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
298807	Ubuntu 22.04 LTS / 24.04 LTS : Python-Multipart vulnerabilities (USN-8027-1)	Nessus	Ubuntu Local Security Checks	high
227823	Linux Distros Unpatched Vulnerability : CVE-2024-24762	Nessus	Misc.	high
194623	Fedora 40 : python-fastapi (2024-0396ef82cd)	Nessus	Fedora Local Security Checks	high

Detections

Analytics

CVE-2024-24762

high

Tenable Plugins

high

high

high