{"id":"CVE-2019-20907","details":"In Lib/tarfile.py in Python through 3.8.3, an attacker is able to craft a TAR archive leading to an infinite loop when opened by tarfile.open, because _proc_pax lacks header validation.","aliases":["PSF-2020-2"],"modified":"2026-04-11T12:20:13.246337Z","published":"2020-07-13T13:15:10.763Z","related":["ALSA-2020:4641","ALSA-2020:4654","MGASA-2020-0451","SUSE-FU-2022:0444-1","SUSE-FU-2022:0445-1","SUSE-SU-2020:2216-1","SUSE-SU-2020:2275-1","SUSE-SU-2020:2276-1","SUSE-SU-2020:2277-1","SUSE-SU-2020:2699-1","SUSE-SU-2020:3563-1","SUSE-SU-2020:3930-1","SUSE-SU-2025:20025-1","SUSE-SU-2025:20154-1","SUSE-SU-2025:20492-1","openSUSE-SU-2020:1254-1","openSUSE-SU-2020:1257-1","openSUSE-SU-2020:1258-1","openSUSE-SU-2020:1265-1","openSUSE-SU-2020:2332-1","openSUSE-SU-2020:2333-1","openSUSE-SU-2024:11283-1","openSUSE-SU-2024:11284-1","openSUSE-SU-2024:11285-1","openSUSE-SU-2024:11286-1","openSUSE-SU-2024:11551-1","openSUSE-SU-2024:12089-1","openSUSE-SU-2024:12910-1","openSUSE-SU-2024:14109-1","openSUSE-SU-2024:14434-1","openSUSE-SU-2025:15713-1"],"database_specific":{"unresolved_ranges":[{"extracted_events":[{"introduced":"9.5"}],"source":"CPE_FIELD","cpe":"cpe:2.3:a:netapp:active_iq_unified_manager:*:*:*:*:*:vsphere:*:*"},{"extracted_events":[{"last_affected":"8.8"}],"source":"CPE_FIELD","cpe":"cpe:2.3:a:oracle:zfs_storage_appliance_kit:8.8:*:*:*:*:*:*:*"},{"extracted_events":[{"last_affected":"12.04"}],"source":"CPE_FIELD","cpe":"cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:esm:*:*:*"},{"extracted_events":[{"last_affected":"14.04"}],"source":"CPE_FIELD","cpe":"cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:esm:*:*:*"},{"extracted_events":[{"last_affected":"16.04"}],"source":"CPE_FIELD","cpe":"cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*"},{"extracted_events":[{"last_affected":"18.04"}],"source":"CPE_FIELD","cpe":"cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*"},{"extracted_events":[{"last_affected":"20.04"}],"source":"CPE_FIELD","cpe":"cpe:2.3:o:canonical:ubuntu_linux:20.04:*:*:*:lts:*:*:*"},{"extracted_events":[{"last_affected":"9.0"}],"source":"CPE_FIELD","cpe":"cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*"},{"extracted_events":[{"last_affected":"31"}],"source":"CPE_FIELD","cpe":"cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*"},{"extracted_events":[{"last_affected":"32"}],"source":"CPE_FIELD","cpe":"cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*"},{"extracted_events":[{"last_affected":"15.1"}],"source":"CPE_FIELD","cpe":"cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*"},{"extracted_events":[{"last_affected":"15.2"}],"source":"CPE_FIELD","cpe":"cpe:2.3:o:opensuse:leap:15.2:*:*:*:*:*:*:*"}]},"references":[{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2023/05/msg00024.html"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/36XI3EEQNMHGOZEI63Y7UV6XZRELYEAU/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CAXHCY4V3LPAAJOBCJ26ISZ4NUXQXTUZ/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CNHPQGSP2YM3JAUD2VAMPXTIUQTZ2M2U/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CTUNTBJ3POHONQOTLEZC46POCIYYTAKZ/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LE4O3PNDNNOMSKHNUKZKD3NGHIFUFDPX/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NTBKKOLFFNHG6CM4ACDX4APHSD5ZX5N4/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OXI72HIHMXCQFWTULUXDG7VDA2BCYL4Y/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PDKKRXLNVXRF6VGERZSR3OMQR5D5QI6I/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TOGKLGTXZLHQQFBVCAPSUDA6DOOJFNRY/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/V3TALOUBYU2MQD4BPLRTDQUMBKGCAXUA/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/V53P2YOLEQH4J7S5QHXMKMZYFTVVMTMO/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VT4AF72TJ2XNIKCR4WEBR7URBJJ4YZRD/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YILCHHTNLH4GG4GSQBX2MZRKZBXOLCKE/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YSL3XWVDMSMKO23HR74AJQ6VEM3C2NTS/"},{"type":"ADVISORY","url":"http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00051.html"},{"type":"ADVISORY","url":"http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00052.html"},{"type":"ADVISORY","url":"http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00053.html"},{"type":"ADVISORY","url":"http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00056.html"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2020/08/msg00034.html"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2020/11/msg00032.html"},{"type":"ADVISORY","url":"https://security.gentoo.org/glsa/202008-01"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20200731-0002/"},{"type":"ADVISORY","url":"https://usn.ubuntu.com/4428-1/"},{"type":"REPORT","url":"https://bugs.python.org/issue39017"},{"type":"FIX","url":"https://github.com/python/cpython/pull/21454"},{"type":"FIX","url":"https://www.oracle.com/security-alerts/cpujan2021.html"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/python/cpython","events":[{"introduced":"2e789a1f1d84b343a996e8654590703b5fbdd441"},{"fixed":"426b022776672fdf3d71ddd98d89af341c88080f"},{"introduced":"5c4568a05a0a62b5947c55f68f9f2ecfb90a4f12"},{"fixed":"c0a9afe2ac1820409e6173bd1893ebee2cf50270"},{"introduced":"1bf9cc509326bc42cd8cb1650eb9bf64550d817e"},{"fixed":"13c94747c74437e594b7fc242ff7da668e81887c"},{"introduced":"fa919fdf2583bdfead1df00e842f24f30b2a34bf"},{"fixed":"580fbb018fd0844806119614d752b41fc69660f9"}],"database_specific":{"extracted_events":[{"introduced":"3.5.0"},{"fixed":"3.5.10"},{"introduced":"3.6.0"},{"fixed":"3.6.12"},{"introduced":"3.7.0"},{"fixed":"3.7.9"},{"introduced":"3.8.0"},{"fixed":"3.8.5"}],"source":"CPE_FIELD","cpe":"cpe:2.3:a:python:python:*:*:*:*:*:*:*:*"}}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2019-20907.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}