{
  "threat_severity" : "Moderate",
  "public_date" : "2024-07-09T00:00:00Z",
  "bugzilla" : {
    "description" : "github.com/jaraco/zipp: Denial of Service (infinite loop) via crafted zip file in jaraco/zipp",
    "id" : "2296413",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2296413"
  },
  "cvss3" : {
    "cvss3_base_score" : "6.2",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-400",
  "details" : [ "A Denial of Service (DoS) vulnerability exists in the jaraco/zipp library, affecting all versions prior to 3.19.1. The vulnerability is triggered when processing a specially crafted zip file that leads to an infinite loop. This issue also impacts the zipfile module of CPython, as features from the third-party zipp library are later merged into CPython, and the affected code is identical in both projects. The infinite loop can be initiated through the use of functions affecting the `Path` module in both zipp and zipfile, such as `joinpath`, the overloaded division operator, and `iterdir`. Although the infinite loop is not resource exhaustive, it prevents the application from responding. The vulnerability was addressed in version 3.19.1 of jaraco/zipp.", "A flaw was found in jaraco/zipp. The vulnerability is triggered when processing a specially crafted zip file that leads to an infinite loop. This issue also impacts the zipfile module of CPython, as features from the third-party zipp library are later merged into CPython, and the affected code is identical in both projects." ],
  "affected_release" : [ {
    "product_name" : "Red Hat Ansible Automation Platform 2.4 for RHEL 8",
    "release_date" : "2024-09-05T00:00:00Z",
    "advisory" : "RHSA-2024:6428",
    "cpe" : "cpe:/a:redhat:ansible_automation_platform:2.4::el8",
    "package" : "python3x-zipp-0:3.19.2-1.el8ap"
  }, {
    "product_name" : "Red Hat Ansible Automation Platform 2.4 for RHEL 9",
    "release_date" : "2024-09-05T00:00:00Z",
    "advisory" : "RHSA-2024:6428",
    "cpe" : "cpe:/a:redhat:ansible_automation_platform:2.4::el9",
    "package" : "python-zipp-0:3.19.2-1.el9ap"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4.16",
    "release_date" : "2024-10-30T00:00:00Z",
    "advisory" : "RHSA-2024:8418",
    "cpe" : "cpe:/a:redhat:openshift_ironic:4.16::el9",
    "package" : "python-zipp-0:3.19.1-1.el9"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4.17",
    "release_date" : "2024-10-23T00:00:00Z",
    "advisory" : "RHSA-2024:8232",
    "cpe" : "cpe:/a:redhat:openshift_ironic:4.17::el9",
    "package" : "python-zipp-0:3.19.1-1.el9"
  }, {
    "product_name" : "Red Hat OpenStack Platform 17.1 for RHEL 9",
    "release_date" : "2024-11-21T00:00:00Z",
    "advisory" : "RHSA-2024:9977",
    "cpe" : "cpe:/a:redhat:openstack:17.1::el9",
    "package" : "python-zipp-0:3.4.0-3.el9ost"
  }, {
    "product_name" : "Red Hat Satellite 6.16 for RHEL 8",
    "release_date" : "2024-11-05T00:00:00Z",
    "advisory" : "RHSA-2024:8906",
    "cpe" : "cpe:/a:redhat:satellite:6.16::el8",
    "package" : "python-zipp-0:3.20.2-1.el8pc"
  }, {
    "product_name" : "Red Hat Satellite 6.16 for RHEL 8",
    "release_date" : "2024-11-05T00:00:00Z",
    "advisory" : "RHSA-2024:8906",
    "cpe" : "cpe:/a:redhat:satellite_capsule:6.16::el8",
    "package" : "python-zipp-0:3.20.2-1.el8pc"
  }, {
    "product_name" : "Red Hat Satellite 6.16 for RHEL 9",
    "release_date" : "2024-11-05T00:00:00Z",
    "advisory" : "RHSA-2024:8906",
    "cpe" : "cpe:/a:redhat:satellite:6.16::el9",
    "package" : "python-zipp-0:3.20.2-1.el9pc"
  }, {
    "product_name" : "Red Hat Satellite 6.16 for RHEL 9",
    "release_date" : "2024-11-05T00:00:00Z",
    "advisory" : "RHSA-2024:8906",
    "cpe" : "cpe:/a:redhat:satellite_capsule:6.16::el9",
    "package" : "python-zipp-0:3.20.2-1.el9pc"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat OpenStack Platform 16.2",
    "fix_state" : "Will not fix",
    "package_name" : "python-zipp",
    "cpe" : "cpe:/a:redhat:openstack:16.2"
  }, {
    "product_name" : "Red Hat OpenStack Platform 18.0",
    "fix_state" : "Affected",
    "package_name" : "python-zipp",
    "cpe" : "cpe:/a:redhat:openstack:18.0"
  }, {
    "product_name" : "Red Hat Update Infrastructure 4 for Cloud Providers",
    "fix_state" : "Will not fix",
    "package_name" : "python-zipp",
    "cpe" : "cpe:/a:redhat:rhui:4::el8"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2024-5569\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-5569\nhttps://github.com/jaraco/zipp/commit/fd604bd34f0343472521a36da1fbd22e793e14fd\nhttps://huntr.com/bounties/be898306-11f9-46b4-b28c-f4c4aa4ffbae" ],
  "name" : "CVE-2024-5569",
  "csaw" : false
}