CVE-2021-40839

Name
CVE-2021-40839
Description
The rencode package through 1.0.6 for Python allows an infinite loop in typecode decoding (such as via ;\x2f\x7f), enabling a remote attack that consumes CPU and memory.
NVD Severity
medium
Other trackers
Mailing lists
Exploits
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
MISC https://github.com/aresch/rencode/pull/29
MISC https://pypi.org/project/rencode/#history
MISC https://seclists.org/fulldisclosure/2021/Sep/16
MISC https://github.com/aresch/rencode/commit/572ff74586d9b1daab904c6f7f7009ce0143bb75
CONFIRM https://security.netapp.com/advisory/ntap-20211008-0001/
Mailing List https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BMVQRPDVSVZNGGX57CFKCYT3DEYO4QB6/
Mailing List https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MCLETLGVM5DBX6QNHQFW6TWGO5T3DENY/

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:rencode_project:rencode:*:*:*:*:*:python:*:* py3-rencode >= None <= 1.0.6

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
py3-rencode 3.14-community 1.0.6-r5 Francesco Colista <fcolista@alpinelinux.org> possibly vulnerable
py3-rencode 3.15-community 1.0.6-r5 Francesco Colista <fcolista@alpinelinux.org> possibly vulnerable
py3-rencode 3.16-community 1.0.6-r6 Francesco Colista <fcolista@alpinelinux.org> possibly vulnerable
py3-rencode 3.17-community 1.0.6-r7 Francesco Colista <fcolista@alpinelinux.org> fixed
py3-rencode 3.18-community 1.0.6-r10 Francesco Colista <fcolista@alpinelinux.org> fixed
py3-rencode 3.19-community 1.0.6-r10 Francesco Colista <fcolista@alpinelinux.org> fixed
py3-rencode edge-community 1.0.6-r11 Francesco Colista <fcolista@alpinelinux.org> fixed
py3-rencode 3.20-community 1.0.6-r11 Francesco Colista <fcolista@alpinelinux.org> fixed