CVE-2013-4199: Plone Denial of Service vulnerability via decompressing large zip archives
3.1
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.64159%
CWE
Published
5/17/2022
Updated
10/17/2024
KEV Status
No
Technology
Python
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
plone | pip | >= 4.3, < 4.3.2 | 4.3.2 |
plone | pip | >= 4.2, < 4.2.6 | 4.2.6 |
plone | pip | >= 2.1, <= 4.1 | 4.1.1 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability explicitly identifies cb_decode.py and linkintegrity.py as the affected files. These files are directly involved in zip archive decompression and post-decompression link integrity operations. While the exact function names are not specified in public advisories, the standard naming conventions and functional roles of these files suggest that the primary functions responsible for decoding (cb_decode.py) and link integrity updates (linkintegrity.py) are the vulnerable components. The lack of resource limitation checks in these functions aligns with the described CWE-400 (Uncontrolled Resource Consumption) vulnerability.