#VU94792 Infinite loop in zipp - CVE-2024-5569

Cybersecurity Help s.r.o.

Published: 2024-07-26 | Updated: 2025-02-11

Vulnerability identifier: #VU94792

Vulnerability risk: Medium

CVSSv4.0: 4.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2024-5569

CWE-ID: CWE-835

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
zipp
Other software / Other software solutions

Vendor: jaraco (Jason R. Coombs)

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to infinite loop. A remote attacker can pass a specially crafted zip file to the application, consume all available system resources and cause denial of service conditions.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

zipp: 3.0.0 - 3.19.0

External links
https://huntr.com/bounties/be898306-11f9-46b4-b28c-f4c4aa4ffbae
https://github.com/jaraco/zipp/commit/fd604bd34f0343472521a36da1fbd22e793e14fd

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in IBM Knowledge Catalog for IBM Cloud Pak for Data

Anolis OS update for python-zipp

Multiple vulnerabilities in IBM Concert Software

IBM Cloud Pak for Data System 2.0 update for zipp

Multiple vulnerabilities in QRadar Advisor With Watson for IBM QRadar SIEM

IBM watsonx Assistant Cartridge and IBM watsonx Orchestrate with watsonx Assistant Cartridge - Assistant Builder Component update for zipp

IBM watsonx Orchestrate Cartridge for IBM Cloud Pak for Data update for zipp

IBM Maximo Application Suite - Monitor Component update for zipp

Multiple vulnerabilities in IBM Security QRadar EDR

IBM watsonx.data update for zipp