UBUNTU-CVE-2024-24762

See a problem?
Please try reporting it to the source first.

Source

https://ubuntu.com/security/CVE-2024-24762

Import Source

https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2024/UBUNTU-CVE-2024-24762.json

JSON Data

https://api.osv.dev/v1/vulns/UBUNTU-CVE-2024-24762

Upstream

CVE-2024-24762

Downstream

USN-8027-1

Related

USN-8027-1

Published

2024-02-05T15:15:00Z

Modified

2026-02-12T14:43:59.909344Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Ubuntu - medium

Summary

[none]

Details

python-multipart is a streaming multipart parser for Python. When using form data, python-multipart uses a Regular Expression to parse the HTTP Content-Type header, including options. An attacker could send a custom-made Content-Type option that is very difficult for the RegEx to process, consuming CPU resources and stalling indefinitely (minutes or more) while holding the main event loop. This means that process can't handle any more requests, leading to regular expression denial of service. This vulnerability has been patched in version 0.0.7.

References

Affected packages

Ubuntu:Pro:22.04:LTS / python-multipart

Package

Name: python-multipart
Purl: pkg:deb/ubuntu/python-multipart@0.0.5-2ubuntu0.1~esm1?arch=source&distro=esm-apps/jammy

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.0.5-2ubuntu0.1~esm1

Affected versions

0.*

0.0.5-2

Ecosystem specific

{
    "availability": "Available with Ubuntu Pro: https://ubuntu.com/pro",
    "binaries": [
        {
            "binary_version": "0.0.5-2ubuntu0.1~esm1",
            "binary_name": "python3-multipart"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2024/UBUNTU-CVE-2024-24762.json"