Plataforma
python
Componente
priority
Corrigido em
1.2.0
CVE-2016-6580 affects the Python priority library versions up to 1.1.1. This vulnerability allows a malicious HTTP/2 peer to exhaust system memory and consume excessive CPU resources. The flaw stems from the library's handling of HTTP/2 stream priorities, where a malicious peer can flood the priority tree with requests. The vulnerability is resolved in version 1.2.0.
An attacker exploiting CVE-2016-6580 can cause a denial-of-service (DoS) condition by forcing the affected application to allocate unbounded memory. This can lead to system instability, crashes, and potentially allow the attacker to disrupt service availability. The high CPU usage associated with maintaining the inflated priority tree further exacerbates the impact, potentially impacting other processes on the system. While direct data exfiltration is not possible, the DoS can be used to distract from other attacks or disrupt critical operations.
CVE-2016-6580 was published on January 10, 2017. There is no indication of active exploitation campaigns targeting this vulnerability. The vulnerability is not listed on KEV or EPSS, suggesting a low probability of exploitation. Public proof-of-concept (POC) code is available, demonstrating the memory exhaustion behavior.
Status do Exploit
EPSS
0.48% (percentil 65%)
Vetor CVSS
The primary mitigation for CVE-2016-6580 is to upgrade the Python priority library to version 1.2.0 or later. If upgrading is not immediately feasible, consider implementing rate limiting on incoming HTTP/2 connections to restrict the number of priority assignments from a single peer. While not a complete fix, this can help mitigate the memory exhaustion. Monitor system resource usage (CPU and memory) for unusual spikes, which could indicate exploitation. After upgrading, confirm the fix by attempting to reproduce the vulnerability with a known malicious HTTP/2 stream priority sequence.
Nenhum patch oficial disponível. Procure alternativas ou monitore atualizações.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2016-6580 is a HIGH severity vulnerability affecting the Python priority library versions up to 1.1.1. A malicious HTTP/2 peer can trigger unbounded memory allocation, leading to a denial-of-service.
You are affected if you are using the Python priority library version 1.1.1 or earlier. Check your library version using pip show priority.
Upgrade the Python priority library to version 1.2.0 or later using pip install priority==1.2.0.
There is no current evidence of active exploitation campaigns targeting CVE-2016-6580, but a public POC exists.
Refer to the Python security advisory for CVE-2016-6580: https://www.python.org/security/#CVE-2016-6580
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.
Envie seu arquivo requirements.txt e descubra na hora se você está afetado.