CVE-2019-9674 - Vulnerability Details - OpenCVE

Lib/zipfile.py in Python through 3.7.2 allows remote attackers to cause a denial of service (resource consumption) via a ZIP bomb.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Canonical	Ubuntu Linux
Netapp	Active Iq Unified Manager
Python	Python

Configuration 1 [-]

cpe:2.3:a:python:python:*:*:*:*:*:*:*:*

Configuration 2 [-]

OR	cpe:2.3:o:canonical:ubuntu_linux:12.04::::-:::
	cpe:2.3:o:canonical:ubuntu_linux:14.04::::esm:::
	cpe:2.3:o:canonical:ubuntu_linux:16.04::::esm:::
	cpe:2.3:o:canonical:ubuntu_linux:18.04::::lts:::
	cpe:2.3:o:canonical:ubuntu_linux:20.04::::lts:::

Configuration 3 [-]

cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:vmware_vsphere:*:*

No data.

References

Link	Providers
http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00003.html
http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00041.html
https://bugs.python.org/issue36260
https://bugs.python.org/issue36462
https://github.com/python/cpython/blob/master/Lib/zipfile.py
https://nvd.nist.gov/vuln/detail/CVE-2019-9674
https://python-security.readthedocs.io/security.html#archives-and-zip-bomb
https://security.netapp.com/advisory/ntap-20200221-0003/
https://usn.ubuntu.com/4428-1/
https://www.cve.org/CVERecord?id=CVE-2019-9674
https://www.python.org/news/security/

History

Wed, 16 Jul 2025 13:45:00 +0000

Type	Values Removed	Values Added
Metrics	epss `{'score': 0.01197}`	epss `{'score': 0.0123}`

Sat, 12 Jul 2025 13:45:00 +0000

Type	Values Removed	Values Added
Metrics	epss `{'score': 0.01138}`	epss `{'score': 0.01197}`

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2020-02-04T14:05:49

Updated: 2024-08-04T21:54:45.475Z

Reserved: 2019-03-11T00:00:00

Link: CVE-2019-9674

Vulnrichment

No data.

NVD

Status : Modified

Published: 2020-02-04T15:15:11.633

Modified: 2024-11-21T04:52:05.390

Link: CVE-2019-9674

Redhat

Severity : Low

Publid Date: 2019-03-11T00:00:00Z

Links: CVE-2019-9674 - Bugzilla

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "Lib/zipfile.py in Python through 3.7.2 allows remote attackers to cause a denial of service (resource consumption) via a ZIP bomb."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2020-07-27T17:06:29", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.python.org/news/security/"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/python/cpython/blob/master/Lib/zipfile.py"}, {"tags": ["x_refsource_MISC"], "url": "https://bugs.python.org/issue36462"}, {"tags": ["x_refsource_MISC"], "url": "https://bugs.python.org/issue36260"}, {"tags": ["x_refsource_MISC"], "url": "https://python-security.readthedocs.io/security.html#archives-and-zip-bomb"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://security.netapp.com/advisory/ntap-20200221-0003/"}, {"name": "openSUSE-SU-2020:0274", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00003.html"}, {"name": "openSUSE-SU-2020:0696", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00041.html"}, {"name": "USN-4428-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU"], "url": "https://usn.ubuntu.com/4428-1/"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2019-9674", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Lib/zipfile.py in Python through 3.7.2 allows remote attackers to cause a denial of service (resource consumption) via a ZIP bomb."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://www.python.org/news/security/", "refsource": "MISC", "url": "https://www.python.org/news/security/"}, {"name": "https://github.com/python/cpython/blob/master/Lib/zipfile.py", "refsource": "MISC", "url": "https://github.com/python/cpython/blob/master/Lib/zipfile.py"}, {"name": "https://bugs.python.org/issue36462", "refsource": "MISC", "url": "https://bugs.python.org/issue36462"}, {"name": "https://bugs.python.org/issue36260", "refsource": "MISC", "url": "https://bugs.python.org/issue36260"}, {"name": "https://python-security.readthedocs.io/security.html#archives-and-zip-bomb", "refsource": "MISC", "url": "https://python-security.readthedocs.io/security.html#archives-and-zip-bomb"}, {"name": "https://security.netapp.com/advisory/ntap-20200221-0003/", "refsource": "CONFIRM", "url": "https://security.netapp.com/advisory/ntap-20200221-0003/"}, {"name": "openSUSE-SU-2020:0274", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00003.html"}, {"name": "openSUSE-SU-2020:0696", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00041.html"}, {"name": "USN-4428-1", "refsource": "UBUNTU", "url": "https://usn.ubuntu.com/4428-1/"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T21:54:45.475Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.python.org/news/security/"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/python/cpython/blob/master/Lib/zipfile.py"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://bugs.python.org/issue36462"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://bugs.python.org/issue36260"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://python-security.readthedocs.io/security.html#archives-and-zip-bomb"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://security.netapp.com/advisory/ntap-20200221-0003/"}, {"name": "openSUSE-SU-2020:0274", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00003.html"}, {"name": "openSUSE-SU-2020:0696", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00041.html"}, {"name": "USN-4428-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU", "x_transferred"], "url": "https://usn.ubuntu.com/4428-1/"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2019-9674", "datePublished": "2020-02-04T14:05:49", "dateReserved": "2019-03-11T00:00:00", "dateUpdated": "2024-08-04T21:54:45.475Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:python:python:*:*:*:*:*:*:*:*", "matchCriteriaId": "14F03B99-36FE-4A52-9790-DAEC1C20B1A5", "versionEndIncluding": "3.7.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:-:*:*:*", "matchCriteriaId": "CB66DB75-2B16-4EBF-9B93-CE49D8086E41", "vulnerable": true}, {"criteria": "cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:esm:*:*:*", "matchCriteriaId": "815D70A8-47D3-459C-A32C-9FEACA0659D1", "vulnerable": true}, {"criteria": "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:esm:*:*:*", "matchCriteriaId": "7A5301BF-1402-4BE0-A0F8-69FBE79BC6D6", "vulnerable": true}, {"criteria": "cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*", "matchCriteriaId": "23A7C53F-B80F-4E6A-AFA9-58EEA84BE11D", "vulnerable": true}, {"criteria": "cpe:2.3:o:canonical:ubuntu_linux:20.04:*:*:*:lts:*:*:*", "matchCriteriaId": "902B8056-9E37-443B-8905-8AA93E2447FB", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:vmware_vsphere:*:*", "matchCriteriaId": "3A756737-1CC4-42C2-A4DF-E1C893B4E2D5", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Lib/zipfile.py in Python through 3.7.2 allows remote attackers to cause a denial of service (resource consumption) via a ZIP bomb."}, {"lang": "es", "value": "La biblioteca Lib/zipfile.py en Python versiones hasta 3.7.2, permite a atacantes remotos causar una denegaci\u00f3n de servicio (consumo de recursos) por medio de una bomba ZIP."}], "id": "CVE-2019-9674", "lastModified": "2024-11-21T04:52:05.390", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-02-04T15:15:11.633", "references": [{"source": "cve@mitre.org", "tags": ["Broken Link"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00003.html"}, {"source": "cve@mitre.org", "tags": ["Broken Link"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00041.html"}, {"source": "cve@mitre.org", "tags": ["Issue Tracking", "Vendor Advisory"], "url": "https://bugs.python.org/issue36260"}, {"source": "cve@mitre.org", "tags": ["Issue Tracking", "Vendor Advisory"], "url": "https://bugs.python.org/issue36462"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://github.com/python/cpython/blob/master/Lib/zipfile.py"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://python-security.readthedocs.io/security.html#archives-and-zip-bomb"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20200221-0003/"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://usn.ubuntu.com/4428-1/"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://www.python.org/news/security/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Broken Link"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00003.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Broken Link"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-05/msg00041.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Vendor Advisory"], "url": "https://bugs.python.org/issue36260"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Vendor Advisory"], "url": "https://bugs.python.org/issue36462"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://github.com/python/cpython/blob/master/Lib/zipfile.py"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://python-security.readthedocs.io/security.html#archives-and-zip-bomb"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20200221-0003/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://usn.ubuntu.com/4428-1/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://www.python.org/news/security/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-400"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "python: Nested zip file (Zip bomb) vulnerability in Lib/zipfile.py", "id": "1800749", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1800749"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.2", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-409", "details": ["Lib/zipfile.py in Python through 3.7.2 allows remote attackers to cause a denial of service (resource consumption) via a ZIP bomb.", "A ZIP bomb attack was found in the Python zipfile module. A remote attacker could abuse this flaw by providing a specially crafted ZIP file that, when decompressed by zipfile, would exhaust system resources resulting in a denial of service."], "name": "CVE-2019-9674", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:5", "fix_state": "Will not fix", "package_name": "python", "product_name": "Red Hat Enterprise Linux 5"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Will not fix", "package_name": "python", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Will not fix", "package_name": "python", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Will not fix", "package_name": "python3", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Will not fix", "package_name": "python27:2.7/python2", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Will not fix", "package_name": "python3", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Will not fix", "package_name": "python36:3.6/python36", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/a:redhat:rhel_software_collections:3", "fix_state": "Will not fix", "package_name": "python27-python", "product_name": "Red Hat Software Collections"}, {"cpe": "cpe:/a:redhat:rhel_software_collections:3", "fix_state": "Will not fix", "package_name": "rh-python36-python", "product_name": "Red Hat Software Collections"}], "public_date": "2019-03-11T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2019-9674\nhttps://nvd.nist.gov/vuln/detail/CVE-2019-9674"], "statement": "There is no plan to fix this flaw. Programs using the Python zipfile module should be responsible for validating external untrusted ZIP files. For further details, please refer to the following URLs:\n[1] https://docs.python.org/dev/library/zipfile.html#decompression-pitfalls\n[2] https://python-security.readthedocs.io/security.html#archives-and-zip-bomb", "threat_severity": "Low"}