Vulnerabilities > CVE-2021-40839 - Infinite Loop vulnerability in multiple products

CVSS 7.5 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

NONE

Integrity impact

NONE

Availability impact

HIGH

network

low complexity

rencode-project

fedoraproject

CWE-835

NVD

Published: 2021-09-10

Updated: 2023-11-07

Summary

The rencode package through 1.0.6 for Python allows an infinite loop in typecode decoding (such as via ;\x2f\x7f), enabling a remote attack that consumes CPU and memory.

Vulnerable Configurations

Part	Description	Count
Application	Rencode_Project Rencode Project Rencode 1.0 Rencode Project Rencode 1.0.3 Rencode Project Rencode 1.0.4 Rencode Project Rencode 1.0.5 Rencode Project Rencode 1.0.6	5
OS	Fedoraproject Fedoraproject Fedora 34 Fedoraproject Fedora 35	2

Common Weakness Enumeration (CWE)

CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')

References

https://github.com/aresch/rencode/pull/29
https://pypi.org/project/rencode/#history
https://seclists.org/fulldisclosure/2021/Sep/16
https://github.com/aresch/rencode/commit/572ff74586d9b1daab904c6f7f7009ce0143bb75
https://security.netapp.com/advisory/ntap-20211008-0001/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BMVQRPDVSVZNGGX57CFKCYT3DEYO4QB6/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MCLETLGVM5DBX6QNHQFW6TWGO5T3DENY/