A denial of service flaw was found in the way Simple XML-RPC Server module of Python processed client connections, that were closed prior the complete request body has been received. A remote attacker could use this flaw to cause Python Simple XML-RPC based server process to consume excessive amount of CPU.
Dates:
Disclosure date: 2012-02-13 (Python issue bpo-14001 reported)
Python 2.6.8 (2012-04-10) fixed by commit 66f3cc6 (branch 2.6) (2012-02-18)
Python 2.7.3 (2012-04-09) fixed by commit 66f3cc6 (branch 2.6) (2012-02-18)
Python 3.1.5 (2012-04-06) fixed by commit ec1712a (branch 3.2) (2012-02-18)
Python 3.2.3 (2012-04-10) fixed by commit ec1712a (branch 3.2) (2012-02-18)
Python 3.3.0 (2012-09-29) fixed by commit ec1712a (branch 3.2) (2012-02-18)
CVE-2012-0845 Python v2.7.2 / v3.2.2 (SimpleXMLRPCServer): DoS (excessive CPU usage) by processing malformed XMLRPC / HTTP POST request.
Python issue: bpo-14001
Creation date: 2012-02-13
Reporter: Jan Lieskovsky
SimpleXMLRPCServer.py in SimpleXMLRPCServer in Python before 2.6.8, 2.7.x before 2.7.3, 3.x before 3.1.5, and 3.2.x before 3.2.3 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via an XML-RPC POST request that contains a smaller amount of data than specified by the Content-Length header.
CVE ID: CVE-2012-0845
Published: 2012-10-05
CVSS Score: 5.0
Timeline using the disclosure date 2012-02-13 as reference:
2012-02-13: Python issue bpo-14001 reported by Jan Lieskovsky
2012-02-18 (+5 days): commit 66f3cc6 (branch 2.6)
2012-02-18 (+5 days): commit ec1712a (branch 3.2)
2012-04-06 (+53 days): Python 3.1.5 released
2012-04-09 (+56 days): Python 2.7.3 released
2012-04-10 (+57 days): Python 2.6.8 released
2012-04-10 (+57 days): Python 3.2.3 released
2012-09-29: Python 3.3.0 released
2012-10-05 (+235 days): CVE-2012-0845 published
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4