CVE-2018-14647

Sažetak

Python's elementtree C accelerator failed to initialise Expat's hash salt during initialization. This could make it easy to conduct denial of service attacks against Expat by constructing an XML document that would cause pathological hash collisions in Expat's internal data structures, consuming large amounts CPU and RAM. The vulnerability exists in Python versions 3.7.0, 3.6.0 through 3.6.6, 3.5.0 through 3.5.6, 3.4.0 through 3.4.9, 2.7.0 through 2.7.15.

Reference

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14647
https://bugs.python.org/issue34623
http://www.securityfocus.com/bid/105396
https://www.debian.org/security/2018/dsa-4306
https://www.debian.org/security/2018/dsa-4307
http://www.securitytracker.com/id/1041740
https://usn.ubuntu.com/3817-1/
https://usn.ubuntu.com/3817-2/
https://access.redhat.com/errata/RHSA-2019:1260
https://lists.debian.org/debian-lts-announce/2019/06/msg00023.html
https://lists.debian.org/debian-lts-announce/2019/06/msg00022.html
https://access.redhat.com/errata/RHSA-2019:2030
https://access.redhat.com/errata/RHSA-2019:3725
http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00040.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RBJCB2HWOJLP3L7CUQHJHNBHLSVOXJE5/
https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0%40%3Cissues.bookkeeper.apache.org%3E

CVSS

Base:	5.0
Impact:	2.9
Exploitability:	10.0

Pristup

Vektor	Složenost	Autentikacija
NETWORK	LOW	NONE

Impact

Povjerljivost	Cjelovitost	Dostupnost
NONE	NONE	PARTIAL

CVSS vektor

AV:N/AC:L/Au:N/C:N/I:N/A:P

Zadnje važnije ažuriranje

07-11-2023 - 02:53

Objavljeno

25-09-2018 - 00:29