Plattform
python
Komponente
priority
Behoben in
1.2.0
CVE-2016-6580 affects the Python priority library versions up to 1.1.1. This vulnerability allows a malicious HTTP/2 peer to exhaust system memory and consume excessive CPU resources. The flaw stems from the library's handling of HTTP/2 stream priorities, where a malicious peer can flood the priority tree with requests. The vulnerability is resolved in version 1.2.0.
This vulnerability allows a remote attacker to cause a denial-of-service (DoS) condition on systems using the affected Python priority library. By repeatedly assigning priority information for every possible HTTP/2 stream ID, the attacker can force the priority tree to allocate unbounded amounts of memory. This memory exhaustion can lead to application crashes, system instability, and potentially allow an attacker to disrupt services. The high CPU usage associated with maintaining the oversized priority tree further exacerbates the impact, potentially impacting other processes on the system. While not directly exploitable for remote code execution, the DoS potential is significant, especially in environments handling high volumes of HTTP/2 traffic.
CVE-2016-6580 was publicly disclosed in January 2017. There is no indication of active exploitation campaigns targeting this vulnerability. It is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are available, demonstrating the feasibility of triggering the memory exhaustion condition. The vulnerability's impact is primarily a denial-of-service, making it less attractive to attackers compared to vulnerabilities leading to remote code execution.
Exploit-Status
EPSS
0.48% (65% Perzentil)
CVSS-Vektor
The primary mitigation for CVE-2016-6580 is to upgrade the Python priority library to version 1.2.0 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing rate limiting on incoming HTTP/2 stream priority information to prevent an attacker from flooding the system with requests. While not a complete solution, this can reduce the impact. Monitoring memory usage and CPU utilization on systems running applications using the priority library is also recommended to detect potential exploitation attempts. There are no specific WAF rules or detection signatures readily available for this vulnerability, making proactive monitoring crucial.
Kein offizieller Patch verfügbar. Prüfe auf Workarounds oder überwache auf Updates.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2016-6580 is a HIGH severity vulnerability affecting the Python priority library versions up to 1.1.1. A malicious HTTP/2 peer can trigger unbounded memory allocation, leading to a denial-of-service.
You are affected if you are using the Python priority library version 1.1.1 or earlier. Check your library version using pip show priority.
Upgrade the Python priority library to version 1.2.0 or later using pip install priority==1.2.0.
There is no current evidence of active exploitation campaigns targeting CVE-2016-6580, but a public POC exists.
Refer to the Python security advisory for CVE-2016-6580: https://www.python.org/security/#CVE-2016-6580
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine requirements.txt-Datei hoch und wir sagen dir sofort, ob du betroffen bist.