Severity by source
Network-reachable parser, no authentication or interaction needed; sole impact is availability loss consistent with the stated 7.5 score.
Lifecycle Timeline
1Description PRE-NVD
AnalysisAI
Denial of Service in the collective/icalendar Python library allows attackers to crash or hang applications that process externally supplied iCalendar data. The vulnerability carries a CVSS score of 7.5 High and affects Plone CMS deployments as well as any Python application using the library to parse .ics input. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The application must be processing externally supplied or attacker-controlled iCalendar (.ics) data using the collective/icalendar Python library. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The reported severity of 7.5 High is consistent with unauthenticated network exploitation leading to complete availability loss, but no CVSS vector was provided in the input - this assessment is inferred. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker submits a specially crafted .ics file - for example, through a Plone site's iCalendar import feature or any public-facing endpoint backed by the collective/icalendar library - that triggers excessive resource consumption during parsing. Repeated or concurrent submissions exhaust server memory or CPU, causing the application process to become unresponsive or crash. … |
| Remediation | The primary fix is to upgrade the collective/icalendar library to the patched version specified in the advisory at https://github.com/collective/icalendar/security/advisories/GHSA-cv84-9p8j-fj68 - the exact fix version was not confirmed in the provided input data and should be verified there directly before deploying. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Complete inventory of all systems and applications using collective/icalendar library, determine current versions, and identify sources of external iCalendar input. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Share
External POC / Exploit Code
Leaving vuln.today