{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-3772", "assignerOrgId": "430a6cef-dc26-47e3-9fa8-52fb7f19644e", "state": "PUBLISHED", "assignerShortName": "directcyber", "dateReserved": "2024-04-15T01:23:15.783Z", "datePublished": "2024-04-15T01:42:07.888Z", "dateUpdated": "2025-02-13T17:53:00.106Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Pydantic", "repo": "https://github.com/pydantic/pydantic", "vendor": "Pydantic", "versions": [{"lessThan": "2.4.0", "status": "affected", "version": "2.0", "versionType": "semver"}, {"lessThan": "1.10.13", "status": "affected", "version": "1.0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Sajeeb Lohani"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Regular expression denial of service in Pydanic &lt; 2.4.0, &lt; 1.10.13 allows remote attackers to cause denial of service via a crafted email string.<br>"}], "value": "Regular expression denial of service in Pydanic < 2.4.0, < 1.10.13 allows remote attackers to cause denial of service via a crafted email string."}], "impacts": [{"descriptions": [{"lang": "en", "value": "Denial of Service"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-1333", "description": "CWE-1333 Inefficient Regular Expression Complexity", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "430a6cef-dc26-47e3-9fa8-52fb7f19644e", "shortName": "directcyber", "dateUpdated": "2024-04-26T02:05:56.157Z"}, "references": [{"url": "https://github.com/pydantic/pydantic/pull/7360"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6JBZLMSH4GAZOVBMT2JUO2LXHY7M2ALI/"}], "source": {"discovery": "UNKNOWN"}, "title": "Regular expression denial of service in Pydantic < 2.4.0", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"affected": [{"vendor": "pydantic_project", "product": "pydantic", "cpes": ["cpe:2.3:a:pydantic_project:pydantic:1.0:-:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "1.0", "status": "affected", "lessThan": "1.10.13", "versionType": "semver"}]}, {"vendor": "pydantic_project", "product": "pydantic", "cpes": ["cpe:2.3:a:pydantic_project:pydantic:2.0:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "2.0", "status": "affected"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-04-22T19:52:22.735887Z", "id": "CVE-2024-3772", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-24T15:29:03.754Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T20:20:01.828Z"}, "title": "CVE Program Container", "references": [{"url": "https://github.com/pydantic/pydantic/pull/7360", "tags": ["x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6JBZLMSH4GAZOVBMT2JUO2LXHY7M2ALI/", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/pydantic/pydantic/pull/7360", "tags": ["x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6JBZLMSH4GAZOVBMT2JUO2LXHY7M2ALI/", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T20:20:01.828Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-3772", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-04-22T19:52:22.735887Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:pydantic_project:pydantic:1.0:-:*:*:*:*:*:*"], "vendor": "pydantic_project", "product": "pydantic", "versions": [{"status": "affected", "version": "1.0", "lessThan": "1.10.13", "versionType": "semver"}], "defaultStatus": "unknown"}, {"cpes": ["cpe:2.3:a:pydantic_project:pydantic:2.0:*:*:*:*:*:*:*"], "vendor": "pydantic_project", "product": "pydantic", "versions": [{"status": "affected", "version": "2.0"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-04-22T19:47:21.026Z"}}], "cna": {"title": "Regular expression denial of service in Pydantic < 2.4.0", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Sajeeb Lohani"}], "impacts": [{"descriptions": [{"lang": "en", "value": "Denial of Service"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://github.com/pydantic/pydantic", "vendor": "Pydantic", "product": "Pydantic", "versions": [{"status": "affected", "version": "2.0", "lessThan": "2.4.0", "versionType": "semver"}, {"status": "affected", "version": "1.0", "lessThan": "1.10.13", "versionType": "semver"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://github.com/pydantic/pydantic/pull/7360"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6JBZLMSH4GAZOVBMT2JUO2LXHY7M2ALI/"}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "Regular expression denial of service in Pydanic < 2.4.0, < 1.10.13 allows remote attackers to cause denial of service via a crafted email string.", "supportingMedia": [{"type": "text/html", "value": "Regular expression denial of service in Pydanic &lt; 2.4.0, &lt; 1.10.13 allows remote attackers to cause denial of service via a crafted email string.<br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-1333", "description": "CWE-1333 Inefficient Regular Expression Complexity"}]}], "providerMetadata": {"orgId": "430a6cef-dc26-47e3-9fa8-52fb7f19644e", "shortName": "directcyber", "dateUpdated": "2024-04-26T02:05:56.157Z"}}}, "cveMetadata": {"cveId": "CVE-2024-3772", "state": "PUBLISHED", "dateUpdated": "2025-02-13T17:53:00.106Z", "dateReserved": "2024-04-15T01:23:15.783Z", "assignerOrgId": "430a6cef-dc26-47e3-9fa8-52fb7f19644e", "datePublished": "2024-04-15T01:42:07.888Z", "assignerShortName": "directcyber"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:pydantic:pydantic:*:*:*:*:*:*:*:*", "matchCriteriaId": "ACBEEF19-DE3B-4435-9F93-DD9382A6A594", "versionEndExcluding": "1.10.13", "vulnerable": true}, {"criteria": "cpe:2.3:a:pydantic:pydantic:*:*:*:*:*:*:*:*", "matchCriteriaId": "A362CB47-987D-48D0-B033-D5EC8400C16B", "versionEndExcluding": "2.4.0", "versionStartIncluding": "2.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:*", "matchCriteriaId": "CC559B26-5DFC-4B7A-A27C-B77DE755DFF9", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Regular expression denial of service in Pydanic < 2.4.0, < 1.10.13 allows remote attackers to cause denial of service via a crafted email string."}, {"lang": "es", "value": "La denegaci\u00f3n de servicio de expresi\u00f3n regular en Pydanic &lt; 2.4.0, &lt; 1.10.13 permite a atacantes remotos provocar denegaci\u00f3n de servicio a trav\u00e9s de una cadena de correo electr\u00f3nico manipulada."}], "id": "CVE-2024-3772", "lastModified": "2025-12-09T18:26:27.817", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 3.6, "source": "430a6cef-dc26-47e3-9fa8-52fb7f19644e", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-04-15T03:16:07.987", "references": [{"source": "430a6cef-dc26-47e3-9fa8-52fb7f19644e", "tags": ["Exploit", "Issue Tracking", "Patch"], "url": "https://github.com/pydantic/pydantic/pull/7360"}, {"source": "430a6cef-dc26-47e3-9fa8-52fb7f19644e", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6JBZLMSH4GAZOVBMT2JUO2LXHY7M2ALI/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Issue Tracking", "Patch"], "url": "https://github.com/pydantic/pydantic/pull/7360"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6JBZLMSH4GAZOVBMT2JUO2LXHY7M2ALI/"}], "sourceIdentifier": "430a6cef-dc26-47e3-9fa8-52fb7f19644e", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1333"}], "source": "430a6cef-dc26-47e3-9fa8-52fb7f19644e", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2024:3781", "cpe": "cpe:/a:redhat:ansible_automation_platform:2.4::el8", "package": "automation-controller-0:4.5.7-1.el8ap", "product_name": "Red Hat Ansible Automation Platform 2.4 for RHEL 8", "release_date": "2024-06-10T00:00:00Z"}, {"advisory": "RHSA-2024:3781", "cpe": "cpe:/a:redhat:ansible_automation_platform:2.4::el8", "package": "python3x-pydantic-0:1.10.15-1.el8ap", "product_name": "Red Hat Ansible Automation Platform 2.4 for RHEL 8", "release_date": "2024-06-10T00:00:00Z"}, {"advisory": "RHSA-2024:3781", "cpe": "cpe:/a:redhat:ansible_automation_platform:2.4::el9", "package": "automation-controller-0:4.5.7-1.el9ap", "product_name": "Red Hat Ansible Automation Platform 2.4 for RHEL 9", "release_date": "2024-06-10T00:00:00Z"}, {"advisory": "RHSA-2024:3781", "cpe": "cpe:/a:redhat:ansible_automation_platform:2.4::el9", "package": "python-pydantic-0:1.10.15-1.el9ap", "product_name": "Red Hat Ansible Automation Platform 2.4 for RHEL 9", "release_date": "2024-06-10T00:00:00Z"}], "bugzilla": {"description": "python-pydantic: regular expression denial of service via crafted email string", "id": "2275106", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2275106"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.9", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "verified"}, "cwe": "CWE-1333", "details": ["Regular expression denial of service in Pydanic < 2.4.0, < 1.10.13 allows remote attackers to cause denial of service via a crafted email string.", "A flaw was found in Pydantic, where it did not properly validate regular expressions containing white spaces. This flaw allows remote users to cause a denial of service attack via a crafted email string."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2024-3772", "public_date": "2024-04-15T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-3772\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-3772"], "threat_severity": "Moderate"}