rpm package
opensuse/python-py7zr&distro=openSUSE Tumbleweed
pkg:rpm/opensuse/python-py7zr&distro=openSUSE%20Tumbleweed
Vulnerabilities (5)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-55206 | — | < 1.1.3-1.1 | 1.1.3-1.1 | Jun 19, 2026 | ### Summary PackInfo._read() uses an O(n^2) cumulative sum pattern where numstreams is read directly from the archive header. A crafted .7z archive with a large numstreams value causes excessive CPU consumption during SevenZipFile.__init__() — no extraction is needed. A 5 | ||
| CVE-2026-55195 | — | < 1.1.3-1.1 | 1.1.3-1.1 | Jun 19, 2026 | py7zr's `Worker.decompress()` extracts archive entries without tracking total decompressed size. A crafted `.7z` file can exhaust disk or memory before the extraction completes. Measured: 15.6 KB archive → 100 MB output (6,556:1 ratio). **Proof of concept:** ```python import p | ||
| CVE-2026-23879 | hig | — | < 1.1.3-1.1 | 1.1.3-1.1 | Jun 19, 2026 | ### Summary There exists an **arbitrary file write vulnerability** in `py7zr` (1.1.0, latest), which allows symbolic links to be recreated outside the destination directory via crafted malicious symbolic link chains. When using `extractall` to extract an archive, the library rest | |
| CVE-2025-6176 | Hig | 7.5 | < 1.1.0-1.1 | 1.1.0-1.1 | Oct 31, 2025 | Scrapy versions up to 2.13.2 are vulnerable to a denial of service (DoS) attack due to a flaw in its brotli decompression implementation. The protection mechanism against decompression bombs fails to mitigate the brotli variant, allowing remote servers to crash clients with less | |
| CVE-2022-44900 | — | < 0.20.8-2.6 | 0.20.8-2.6 | Dec 6, 2022 | A directory traversal vulnerability in the SevenZipFile.extractall() function of the python library py7zr v0.20.0 and earlier allows attackers to write arbitrary files via extracting a crafted 7z file. |
- CVE-2026-55206Jun 19, 2026affected < 1.1.3-1.1fixed 1.1.3-1.1
### Summary PackInfo._read() uses an O(n^2) cumulative sum pattern where numstreams is read directly from the archive header. A crafted .7z archive with a large numstreams value causes excessive CPU consumption during SevenZipFile.__init__() — no extraction is needed. A 5
- CVE-2026-55195Jun 19, 2026affected < 1.1.3-1.1fixed 1.1.3-1.1
py7zr's `Worker.decompress()` extracts archive entries without tracking total decompressed size. A crafted `.7z` file can exhaust disk or memory before the extraction completes. Measured: 15.6 KB archive → 100 MB output (6,556:1 ratio). **Proof of concept:** ```python import p
- affected < 1.1.3-1.1fixed 1.1.3-1.1
### Summary There exists an **arbitrary file write vulnerability** in `py7zr` (1.1.0, latest), which allows symbolic links to be recreated outside the destination directory via crafted malicious symbolic link chains. When using `extractall` to extract an archive, the library rest
- affected < 1.1.0-1.1fixed 1.1.0-1.1
Scrapy versions up to 2.13.2 are vulnerable to a denial of service (DoS) attack due to a flaw in its brotli decompression implementation. The protection mechanism against decompression bombs fails to mitigate the brotli variant, allowing remote servers to crash clients with less
- CVE-2022-44900Dec 6, 2022affected < 0.20.8-2.6fixed 0.20.8-2.6
A directory traversal vulnerability in the SevenZipFile.extractall() function of the python library py7zr v0.20.0 and earlier allows attackers to write arbitrary files via extracting a crafted 7z file.