PT-2018-2305 · Python+3 · Python+3

Abergmann

Published

2018-09-18

Updated

2025-09-29

CVE-2018-1000802

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Python (CPython) version 2.7

Description The issue is related to a command injection vulnerability in the shutil module, specifically in the make archive function. This vulnerability can be exploited by passing unfiltered user input to the function, potentially resulting in denial of service or information gain via injection of arbitrary files on the system or entire drive. The vulnerability appears to be exploitable via the passage of unfiltered user input to the function.

Recommendations For Python (CPython) version 2.7, consider updating to a version where the issue has been fixed, as indicated by the commit add531a1e55b0a739b0f42582f1c9747e5649ace. As a temporary workaround, consider filtering user input before passing it to the make archive function in the shutil module to minimize the risk of exploitation.

Exploit

Fix

DoS

Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-77

Related Identifiers

ALSA-2025_16880

ALT-PU-2019-1565

BDU:2019-00437

CVE-2018-1000802

DLA-1519-1

DLA-1520-1

DSA-4306-1

MGASA-2018-0495

OPENSUSE-SU-2018_3052-1

OPENSUSE-SU-2018_3703-1

OPENSUSE-SU-2020:0086-1

OPENSUSE-SU-2020_0086-1

OPENSUSE-SU-2024:11202-1

OPENSUSE-SU-2024:11284-1

SUSE-SU-2018:3002-1

SUSE-SU-2018:3554-1

SUSE-SU-2018:3554-2

SUSE-SU-2018_3002-1

SUSE-SU-2018_3554-1

SUSE-SU-2018_3554-2

SUSE-SU-2019:2053-1

SUSE-SU-2019:2053-2

SUSE-SU-2019_2053-1

SUSE-SU-2019_2053-2

SUSE-SU-2020:0114-1

SUSE-SU-2020:0234-1

SUSE-SU-2020:0302-1

SUSE-SU-2020_0302-1

USN-3817-1

USN-3817-2

Affected Products

Alt Linux

Python

Suse

Ubuntu

PT-2018-2305 · Python+3 · Python+3

CVE-2018-1000802

Weakness Enumeration

Related Identifiers

Affected Products

References · 226