CVE-2024-8088: 
TensorFlow vulnerability analysis and mitigation

A HIGH severity vulnerability (CVE-2024-8088) affects the CPython "zipfile" module, specifically the "zipfile.Path" functionality. When iterating over names of entries in a zip archive using methods like "namelist()", "iterdir()", etc., the process can be put into an infinite loop with a maliciously crafted zip archive. The vulnerability was discovered and disclosed in August 2024. The more common API "zipfile.ZipFile" class is unaffected (Python Security).

The vulnerability exists in the zipfile.path.ancestry() function where malformed paths in a zip archive can trigger an infinite loop. The issue occurs because posixpath.split("//") returns ("//", "") but "//" != posixpath.sep, causing the loop condition to never terminate. The vulnerability affects both metadata reading and content extraction operations (OSS Security). The vulnerability has been assigned a CVSS v4.0 base score of 8.7 HIGH (NVD).

Successful exploitation of this vulnerability could lead to Denial of Service (DoS) through resource exhaustion when processing maliciously crafted zip archives. The vulnerability only affects programs that handle user-controlled zip archives (NetApp Security).

The vulnerability has been fixed in Python by applying a more surgical fix that handles malformed payloads without breaking legitimate content. The fix involves modifying the path handling logic in the _ancestry() function. Users should upgrade to patched versions of Python. For systems that cannot be immediately updated, the primary mitigation is to avoid processing untrusted zip archives (GitHub PR).

The vulnerability was initially discovered and reported through the Python security reporting process. The fix was first implemented in the zipp package (version 3.19.1) and later ported to CPython. Various vendors, including NetApp, have issued advisories and are working on providing patches for their affected products (NetApp Security).