Missing Initialization of Resource
Affecting python2.7 package, versions <2.7.9-2+deb8u3
Report new vulnerabilities
Do your applications use this vulnerable package?
Test your applications
Overview
Python's elementtree C accelerator failed to initialise Expat's hash salt during initialization. This could make it easy to conduct denial of service attacks against Expat by constructing an XML document that would cause pathological hash collisions in Expat's internal data structures, consuming large amounts CPU and RAM. The vulnerability exists in Python versions 3.7.0, 3.6.0 through 3.6.6, 3.5.0 through 3.5.6, 3.4.0 through 3.4.9, 2.7.0 through 2.7.15.
References
- CVE Details
- Debian Security Advisory
- Debian Security Advisory
- Debian Security Announcement
- Debian Security Announcement
- Debian Security Tracker
- Fedora Security Update
- MISC
- MLIST
- REDHAT
- RHSA Security Advisory
- RHSA Security Advisory
- RedHat Bugzilla Bug
- SUSE
- Security Focus
- Security Tracker
- Ubuntu CVE Tracker
- Ubuntu Security Advisory
- Ubuntu Security Advisory
CVSS Score
7.5
high severity
-
Attack VectorNetwork
-
Attack ComplexityLow
-
Privileges RequiredNone
-
User InteractionNone
-
ScopeUnchanged
-
ConfidentialityNone
-
IntegrityNone
-
AvailabilityHigh
- CVE
- CVE-2018-14647
- CWE
- CWE-335 CWE-665 CWE-909
- Snyk ID
- SNYK-DEBIAN8-PYTHON27-306488
- Disclosed
- 25 Sep, 2018
- Published
- 25 Sep, 2018