PT-2018-1947 · Python+7 · Python+7
Pedro Sampaio
·
Published
2018-09-10
·
Updated
2024-07-11
·
CVE-2018-14647
CVSS v3.1
7.5
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
Name of the Vulnerable Software and Affected Versions
Python versions 3.7.0, 3.6.0 through 3.6.6, 3.5.0 through 3.5.6, 3.4.0 through 3.4.9, 2.7.0 through 2.7.15
Description
The issue is related to Python's elementtree C accelerator failing to initialize Expat's hash salt during initialization. This could facilitate denial of service attacks against Expat by constructing an XML document that causes pathological hash collisions in Expat's internal data structures, consuming large amounts of CPU and RAM. The vulnerability can be exploited by an attacker using a specially crafted XML document to cause a denial of service.
Recommendations
For Python versions 3.7.0, 3.6.0 through 3.6.6, 3.5.0 through 3.5.6, 3.4.0 through 3.4.9, 2.7.0 through 2.7.15, update to a version that includes the fix for this issue.
At the moment, there is no information about a newer version that contains a fix for this vulnerability.
Exploit
DoS
Improper Initialization
Improper Resource Release
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Alt Linux
Centos
Expat
Linuxmint
Python
Red Hat
Suse
Ubuntu