PT-2018-2305 · Python+3 · Python+3

Abergmann

·

Publicado

2018-09-18

·

Atualizado

2025-09-29

·

CVE-2018-1000802

CVSS v3.1

9.8

Crítica

VetorAV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions Python (CPython) version 2.7
Description The issue is related to a command injection vulnerability in the shutil module, specifically in the make archive function. This vulnerability can be exploited by passing unfiltered user input to the function, potentially resulting in denial of service or information gain via injection of arbitrary files on the system or entire drive. The vulnerability appears to be exploitable via the passage of unfiltered user input to the function.
Recommendations For Python (CPython) version 2.7, consider updating to a version where the issue has been fixed, as indicated by the commit add531a1e55b0a739b0f42582f1c9747e5649ace. As a temporary workaround, consider filtering user input before passing it to the make archive function in the shutil module to minimize the risk of exploitation.

Exploit

Correção

DoS

Command Injection

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-77

Identificadores relacionados

ALSA-2025_16880
ALT-PU-2019-1565
BDU:2019-00437
CVE-2018-1000802
DLA-1519-1
DLA-1520-1
DSA-4306-1
MGASA-2018-0495
OPENSUSE-SU-2018_3052-1
OPENSUSE-SU-2018_3703-1
OPENSUSE-SU-2020:0086-1
OPENSUSE-SU-2020_0086-1
OPENSUSE-SU-2024:11202-1
OPENSUSE-SU-2024:11284-1
SUSE-SU-2018:3002-1
SUSE-SU-2018:3554-1
SUSE-SU-2018:3554-2
SUSE-SU-2018_3002-1
SUSE-SU-2018_3554-1
SUSE-SU-2018_3554-2
SUSE-SU-2019:2053-1
SUSE-SU-2019:2053-2
SUSE-SU-2019_2053-1
SUSE-SU-2019_2053-2
SUSE-SU-2020:0114-1
SUSE-SU-2020:0234-1
SUSE-SU-2020:0302-1
SUSE-SU-2020_0302-1
USN-3817-1
USN-3817-2

Produtos afetados

Alt Linux
Python
Suse
Ubuntu