CVE-2018-14647

EPSS 1.9%
Veröffentlicht 25.09.2018 00:29:00
Zuletzt bearbeitet 21.11.2024 03:49:30
Quelle secalert@redhat.com
Teams Watchlist Login
Unerledigt Login

Python's elementtree C accelerator failed to initialise Expat's hash salt during initialization. This could make it easy to conduct denial of service attacks against Expat by constructing an XML document that would cause pathological hash collisions in Expat's internal data structures, consuming large amounts CPU and RAM. The vulnerability exists in Python versions 3.7.0, 3.6.0 through 3.6.6, 3.5.0 through 3.5.6, 3.4.0 through 3.4.9, 2.7.0 through 2.7.15.

Betroffene Produkte Warnungen 0 Metriken 4 CWE 3 Referenzen 19

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Python ≫ Python Version >= 2.7.0 <= 2.7.15

Python ≫ Python Version >= 3.4.0 <= 3.4.9

Python ≫ Python Version >= 3.5.0 <= 3.5.6

Python ≫ Python Version >= 3.6.0 <= 3.6.6

Python ≫ Python Version3.7.0

Canonical ≫ Ubuntu Linux Version12.04 SwEditionesm

Canonical ≫ Ubuntu Linux Version14.04 SwEditionesm

Canonical ≫ Ubuntu Linux Version16.04 SwEditionlts

Canonical ≫ Ubuntu Linux Version18.04 SwEditionlts

Debian ≫ Debian Linux Version8.0

Debian ≫ Debian Linux Version9.0

Fedoraproject ≫ Fedora Version30

Opensuse ≫ Leap Version15.1

Redhat ≫ Enterprise Linux Desktop Version7.0

Redhat ≫ Enterprise Linux Server Version7.0

Redhat ≫ Enterprise Linux Workstation Version7.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	1.9%	0.826

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvd@nist.gov	5	10	2.9	AV:N/AC:L/Au:N/C:N/I:N/A:P
secalert@redhat.com	5.3	3.9	1.4	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CWE-335 Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG)

The product uses a Pseudo-Random Number Generator (PRNG) but does not correctly manage seeds.

CWE-665 Improper Initialization

The product does not initialize or incorrectly initializes a resource, which might leave the resource in an unexpected state when it is accessed or used.

CWE-909 Missing Initialization of Resource

The product does not initialize a critical resource.

http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00040.html

Third Party Advisory

Mailing List

https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0%40%3Cissues.bookkeeper.apache.org%3E

https://www.debian.org/security/2018/dsa-4307

Third Party Advisory

https://usn.ubuntu.com/3817-1/

Third Party Advisory

https://usn.ubuntu.com/3817-2/

Third Party Advisory