HIGH 7.5
PYSEC-2024-155
Details
cbor2 provides encoding and decoding for the Concise Binary Object Representation (CBOR) (RFC 8949) serialization format. Starting in version 5.5.1 and prior to version 5.6.2, an attacker can crash a service using cbor2 to parse a CBOR binary by sending a long enough object. Version 5.6.2 contains a patch for this issue.
Are you affected?
Enter the version of the package you're using.
Affected packages
PyPI / cbor2
Introduced in:
0 Fixed in: 387755eacf0be35591a478d3c67fe10618a6d542 Fix
pip install --upgrade 'cbor2>=387755eacf0be35591a478d3c67fe10618a6d542' References
- https://github.com/agronholm/cbor2/security/advisories/GHSA-375g-39jq-vq7m [ADVISORY]
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BT42VXZMMMCSSHMA65KKPOZCXJEYHNR5/ [ARTICLE]
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GX524ZG2XJWFV37UQKQ4LWIH4UICSGEQ/ [ARTICLE]
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PWC3VU6YV6EXKCSX5GTKWLBZIDIJNQJY/ [ARTICLE]
- https://github.com/agronholm/cbor2/security/advisories/GHSA-375g-39jq-vq7m [EVIDENCE]
- https://github.com/agronholm/cbor2/commit/387755eacf0be35591a478d3c67fe10618a6d542 [FIX]
- https://github.com/agronholm/cbor2/commit/4de6991ba29bf2290d7b9d83525eda7d021873df [FIX]
- https://github.com/agronholm/cbor2/pull/204 [REPORT]
- https://github.com/agronholm/cbor2/releases/tag/5.6.2 [WEB]
- https://github.com/advisories/GHSA-375g-39jq-vq7m [ADVISORY]