5.9

CVE-2014-4616

Exploit

Array index error in the scanstring function in the _json module in Python 2.7 through 3.5 and simplejson before 2.6.1 allows context-dependent attackers to read arbitrary process memory via a negative index value in the idx argument to the raw_decode function.

Daten sind bereitgestellt durch National Vulnerability Database (NVD)
PythonPython Version >= 2.7.0 < 2.7.7
PythonPython Version >= 3.0.0 < 3.2.6
PythonPython Version >= 3.3.0 < 3.3.6
PythonPython Version >= 3.4.0 < 3.4.1
Simplejson ProjectSimplejson SwPlatformpython Version < 2.6.1
OpensuseOpensuse Version13.1
Opensuse ProjectOpensuse Version12.3
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.43% 0.617
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 5.9 2.2 3.6
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
nvd@nist.gov 4.3 8.6 2.9
AV:N/AC:M/Au:N/C:P/I:N/A:N
CWE-129 Improper Validation of Array Index

The product uses untrusted input when calculating or using an array index, but the product does not validate or incorrectly validates the index to ensure the index references a valid position within the array.

https://security.gentoo.org/glsa/201503-10
Patch
Third Party Advisory
VDB Entry
http://bugs.python.org/issue21529
Vendor Advisory
Issue Tracking
http://openwall.com/lists/oss-security/2014/06/24/7
Third Party Advisory
Mailing List
http://www.securityfocus.com/bid/68119
Third Party Advisory
VDB Entry
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=752395
Third Party Advisory
Mailing List
Issue Tracking
https://bugzilla.redhat.com/show_bug.cgi?id=1112285
Patch
Third Party Advisory
Issue Tracking
https://hackerone.com/reports/12297
Patch
Third Party Advisory
Exploit