CVE Vulnerability

CVE-2018-14647

Python's elementtree C accelerator failed to initialise Expat's hash salt during initialization. This could make it easy to conduct denial of service attacks against Expat by constructing an XML document that would cause pathological hash collisions in Expat's internal data structures, consuming large amounts CPU and RAM. The vulnerability exists in Python versions 3.7.0, 3.6.0 through 3.6.6, 3.5.0 through 3.5.6, 3.4.0 through 3.4.9, 2.7.0 through 2.7.15.

5 /10

CVSS v2.0 :

V3 Legend

Vector :

Exploitability : 10 / Impact : 2.9

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact PARTIAL

Scope

7.5 /10

CVSS v3.0 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14647 Issue Tracking Third Party Advisory
https://bugs.python.org/issue34623 Issue Tracking Patch
http://www.securityfocus.com/bid/105396 Third Party Advisory VDB Entry
https://www.debian.org/security/2018/dsa-4306 Third Party Advisory
https://www.debian.org/security/2018/dsa-4307 Third Party Advisory
http://www.securitytracker.com/id/1041740 Third Party Advisory VDB Entry
https://usn.ubuntu.com/3817-1/ Third Party Advisory
https://usn.ubuntu.com/3817-2/ Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RBJCB2HWOJLP3L7CUQHJHNBHLSVOXJE5/ Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:1260 Third Party Advisory
https://lists.debian.org/debian-lts-announce/2019/06/msg00023.html Mailing List Third Party Advisory
https://lists.debian.org/debian-lts-announce/2019/06/msg00022.html Mailing List Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:2030 Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:3725 Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00040.html Mailing List Third Party Advisory
https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0@%3Cissues.bookkeeper.apache.org%3E
Configurations

Configuration 1

cpe:2.3:a:python:python:*:*:*:*:*:*:*:*
cpe:2.3:a:python:python:*:*:*:*:*:*:*:*
cpe:2.3:a:python:python:3.7.0:*:*:*:*:*:*:*
cpe:2.3:a:python:python:*:*:*:*:*:*:*:*
cpe:2.3:a:python:python:*:*:*:*:*:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:esm:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:esm:*:*:*
cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*
cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*
Information

Published : 2018-09-25 12:29

Updated : 2020-07-29 12:15

NVD link : CVE-2018-14647

Mitre link : CVE-2018-14647

Products Affected
No products.
CWE
CWE-909