CVE-2024-5569: 
Python vulnerability analysis and mitigation

A Denial of Service (DoS) vulnerability exists in the jaraco/zipp library, affecting all versions prior to 3.19.1. The vulnerability (CVE-2024-5569) was discovered in the library's handling of specially crafted zip files that can trigger an infinite loop. This issue also impacts the zipfile module of CPython, as features from the third-party zipp library are later merged into CPython, and the affected code is identical in both projects (NVD).

The vulnerability is triggered when processing specially crafted zip files that lead to an infinite loop. The infinite loop can be initiated through the use of functions affecting the Path module in both zipp and zipfile, such as joinpath, the overloaded division operator, and iterdir. While the infinite loop is not resource exhaustive, it prevents the application from responding. The issue has been assigned a CVSS v3.0 base score of 6.2 (Medium) with vector string CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (NVD).

When exploited, this vulnerability can cause a Denial of Service condition by preventing the application from responding due to an infinite loop. While the loop does not consume excessive system resources, it effectively blocks the application's normal operation, impacting availability (NVD).

The vulnerability has been addressed in version 3.19.1 of jaraco/zipp. Users are advised to upgrade to this version or later to mitigate the risk. The fix includes improved handling of malformed zip files (GitHub Commit).