CVE-2022-45061

Updated: 2025-11-10 00:12:25.998685

Description:

An issue was discovered in Python before 3.11.1. An unnecessary quadratic algorithm exists in one path when processing some inputs to the IDNA (RFC 3490) decoder, such that a crafted, unreasonably long name being presented to the decoder could lead to a CPU denial of service. Hostnames are often supplied by remote servers that could be controlled by a malicious actor; in such a scenario, they could trigger excessive CPU consumption on the client attempting to make use of an attacker-supplied supposed hostname. For example, the attack payload could be placed in the Location header of an HTTP response with status code 302. A fix is planned in 3.11.1, 3.10.9, 3.9.16, 3.8.16, and 3.7.16.


Links NIST CIRCL RHEL Ubuntu

Severity

Severity Score
CVSS Version 2.x 0.0
CVSS Version 3.x HIGH 7.5

Status

OS name Project name Version Score Severity Status Errata Last updated

Statement
CentOS 6 ELS python 2.6.6 7.5 HIGH Released CLSA-2022:1669236630 2022-12-08 10:03:33
CentOS 7 ELS python 2.7.5 7.5 HIGH Released CLSA-2023:1697739734 2023-10-19 21:09:37
CentOS 7 ELS python3 3.6.8 7.5 HIGH Released CLSA-2023:1697739575 2023-10-19 21:09:35
CentOS 8.4 ELS python3 3.6.8 7.5 HIGH Released CLSA-2022:1669237532 2022-11-23 16:21:48
CentOS 8.4 ELS python2 2.7.18 7.5 HIGH Released CLSA-2022:1669237735 2022-11-23 16:21:49
CentOS 8.5 ELS python2 2.7.18 7.5 HIGH Released CLSA-2022:1669238752 2022-11-23 20:21:49
CentOS 8.5 ELS python3 3.6.8 7.5 HIGH Released CLSA-2022:1669238513 2022-11-23 20:21:49
CloudLinux 6 ELS python 2.6.6 7.5 HIGH Released CLSA-2022:1669239181 2022-12-08 10:03:33
CloudLinux 7 ELS python 2.7.5 7.5 HIGH Released CLSA-2024:1727289167 2024-10-07 10:49:55
CloudLinux 7 ELS python3 3.6.8 7.5 HIGH Released CLSA-2024:1727288754 2024-10-07 10:50:30
Total: 15