{
  "threat_severity" : "Moderate",
  "public_date" : "2024-09-03T13:15:05Z",
  "bugzilla" : {
    "description" : "python: cpython: tarfile: ReDos via excessive backtracking while parsing header values",
    "id" : "2309426",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2309426"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-1333",
  "details" : [ "There is a MEDIUM severity vulnerability affecting CPython.\nRegular expressions that allowed excessive backtracking during tarfile.TarFile header parsing are vulnerable to ReDoS via specifically-crafted tar archives.", "A regular expression denial of service (ReDos) vulnerability was found in Python's tarfile module. Due to excessive backtracking while tarfile parses headers, an attacker may be able to trigger a denial of service via a specially crafted tar archive." ],
  "statement" : "This vulnerability is classified as moderate severity rather than important because while it does allow for a denial of service (DoS) attack via excessive backtracking in the tarfile module, it does not enable remote code execution or compromise the integrity or confidentiality of data. Exploitation requires an attacker to provide a specially crafted tar archive and relies on the victim's system processing that file, which limits the attack vector.\nVersions of python36:3.6/python36 as shipped with Red Hat Enterprise Linux 8 are marked as 'Not affected' as they just provide \"symlinks\" to the main python3 component, which provides the actual interpreter of the Python programming language.",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 7.7 Advanced Update Support",
    "release_date" : "2024-10-28T00:00:00Z",
    "advisory" : "RHSA-2024:8490",
    "cpe" : "cpe:/o:redhat:rhel_aus:7.7",
    "package" : "python3-0:3.6.8-10.el7_7.1"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7 Extended Lifecycle Support",
    "release_date" : "2025-02-24T00:00:00Z",
    "advisory" : "RHSA-2025:1750",
    "cpe" : "cpe:/o:redhat:rhel_els:7",
    "package" : "python3-0:3.6.8-21.el7_9.1"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2024-09-24T00:00:00Z",
    "advisory" : "RHSA-2024:6975",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8",
    "package" : "python3-0:3.6.8-67.el8_10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2024-10-23T00:00:00Z",
    "advisory" : "RHSA-2024:8359",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8",
    "package" : "python39:3.9-8100020240927003152.d47b87a4"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2024-10-23T00:00:00Z",
    "advisory" : "RHSA-2024:8359",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8",
    "package" : "python39-devel:3.9-8100020240927003152.d47b87a4"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2024-11-05T00:00:00Z",
    "advisory" : "RHSA-2024:8836",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8",
    "package" : "python3.12-0:3.12.6-1.el8_10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2024-11-05T00:00:00Z",
    "advisory" : "RHSA-2024:8838",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8",
    "package" : "python3.11-0:3.11.10-1.el8_10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2024-09-24T00:00:00Z",
    "advisory" : "RHSA-2024:6975",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8",
    "package" : "python3-0:3.6.8-67.el8_10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support",
    "release_date" : "2024-11-07T00:00:00Z",
    "advisory" : "RHSA-2024:8977",
    "cpe" : "cpe:/a:redhat:rhel_aus:8.4",
    "package" : "python39:3.9-8040020241017072554.63cd9eba"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.4 Telecommunications Update Service",
    "release_date" : "2024-11-07T00:00:00Z",
    "advisory" : "RHSA-2024:8977",
    "cpe" : "cpe:/a:redhat:rhel_tus:8.4",
    "package" : "python39:3.9-8040020241017072554.63cd9eba"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions",
    "release_date" : "2024-11-07T00:00:00Z",
    "advisory" : "RHSA-2024:8977",
    "cpe" : "cpe:/a:redhat:rhel_e4s:8.4",
    "package" : "python39:3.9-8040020241017072554.63cd9eba"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support",
    "release_date" : "2024-11-04T00:00:00Z",
    "advisory" : "RHSA-2024:8797",
    "cpe" : "cpe:/a:redhat:rhel_aus:8.6",
    "package" : "python39:3.9-8060020241017081122.6a631399"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.6 Telecommunications Update Service",
    "release_date" : "2024-11-04T00:00:00Z",
    "advisory" : "RHSA-2024:8797",
    "cpe" : "cpe:/a:redhat:rhel_tus:8.6",
    "package" : "python39:3.9-8060020241017081122.6a631399"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions",
    "release_date" : "2024-11-04T00:00:00Z",
    "advisory" : "RHSA-2024:8797",
    "cpe" : "cpe:/a:redhat:rhel_e4s:8.6",
    "package" : "python39:3.9-8060020241017081122.6a631399"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.8 Extended Update Support",
    "release_date" : "2024-10-03T00:00:00Z",
    "advisory" : "RHSA-2024:7647",
    "cpe" : "cpe:/a:redhat:rhel_eus:8.8",
    "package" : "python3.11-0:3.11.2-2.el8_8.4"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.8 Extended Update Support",
    "release_date" : "2024-10-28T00:00:00Z",
    "advisory" : "RHSA-2024:8504",
    "cpe" : "cpe:/a:redhat:rhel_eus:8.8",
    "package" : "python39:3.9-8080020241016061730.93c2fc2f"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2024-10-23T00:00:00Z",
    "advisory" : "RHSA-2024:8374",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "python3.11-0:3.11.7-1.el9_4.6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2024-10-24T00:00:00Z",
    "advisory" : "RHSA-2024:8446",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "python3.9-0:3.9.18-3.el9_4.6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2024-10-24T00:00:00Z",
    "advisory" : "RHSA-2024:8447",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "python3.12-0:3.12.1-4.el9_4.4"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2024-11-12T00:00:00Z",
    "advisory" : "RHSA-2024:9450",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "python3.11-0:3.11.9-7.el9_5.1"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2024-11-12T00:00:00Z",
    "advisory" : "RHSA-2024:9451",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "python3.12-0:3.12.5-2.el9_5.1"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2024-11-12T00:00:00Z",
    "advisory" : "RHSA-2024:9468",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "python3.9-0:3.9.19-8.el9_5.1"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2024-10-24T00:00:00Z",
    "advisory" : "RHSA-2024:8446",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "python3.9-0:3.9.18-3.el9_4.6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2024-11-12T00:00:00Z",
    "advisory" : "RHSA-2024:9468",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "python3.9-0:3.9.19-8.el9_5.1"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions",
    "release_date" : "2024-10-15T00:00:00Z",
    "advisory" : "RHSA-2024:8130",
    "cpe" : "cpe:/a:redhat:rhel_e4s:9.0",
    "package" : "python3.9-0:3.9.10-4.el9_0.6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.2 Extended Update Support",
    "release_date" : "2024-09-23T00:00:00Z",
    "advisory" : "RHSA-2024:6909",
    "cpe" : "cpe:/a:redhat:rhel_eus:9.2",
    "package" : "python3.9-0:3.9.16-1.el9_2.8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.2 Extended Update Support",
    "release_date" : "2024-10-01T00:00:00Z",
    "advisory" : "RHSA-2024:7415",
    "cpe" : "cpe:/a:redhat:rhel_eus:9.2",
    "package" : "python3.11-0:3.11.2-2.el9_2.6"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Not affected",
    "package_name" : "python3.12",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Out of support scope",
    "package_name" : "python",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Out of support scope",
    "package_name" : "python",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "python36:3.6/python36",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux AI (RHEL AI)",
    "fix_state" : "Affected",
    "package_name" : "rhelai1/bootc-nvidia-rhel9",
    "cpe" : "cpe:/a:redhat:enterprise_linux_ai:1"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2024-6232\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-6232\nhttps://github.com/python/cpython/issues/121285\nhttps://github.com/python/cpython/pull/121286\nhttps://mail.python.org/archives/list/security-announce@python.org/thread/JRYFTPRHZRTLMZLWQEUHZSJXNHM4ACTY/" ],
  "name" : "CVE-2024-6232",
  "mitigation" : {
    "value" : "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
    "lang" : "en:us"
  },
  "csaw" : false
}