ByteOS Network

NVD Vulnerability Details :

CVE-2018-14647

Modified

Source-secalert@redhat.com

Published At-25 Sep, 2018 | 00:29

Updated At-07 Nov, 2023 | 02:53

Python's elementtree C accelerator failed to initialise Expat's hash salt during initialization. This could make it easy to conduct denial of service attacks against Expat by constructing an XML document that would cause pathological hash collisions in Expat's internal data structures, consuming large amounts CPU and RAM. The vulnerability exists in Python versions 3.7.0, 3.6.0 through 3.6.6, 3.5.0 through 3.5.6, 3.4.0 through 3.4.9, 2.7.0 through 2.7.15.

Date Added	Due Date	Vulnerability Name	Required Action
	N/A

Metrics

Type	Version	Base score	Base severity	Vector
Primary	3.1	7.5	HIGH	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Secondary	3.0	5.3	MEDIUM	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Primary	2.0	5.0	MEDIUM	AV:N/AC:L/Au:N/C:N/I:N/A:P

CPE Matches

Python Software Foundation

>>python>>Versions from 2.7.0(inclusive) to 2.7.15(inclusive)

cpe:2.3:a:python:python:*:*:*:*:*:*:*:*

Python Software Foundation

>>python>>Versions from 3.4.0(inclusive) to 3.4.9(inclusive)

cpe:2.3:a:python:python:*:*:*:*:*:*:*:*

Python Software Foundation

>>python>>Versions from 3.5.0(inclusive) to 3.5.6(inclusive)

cpe:2.3:a:python:python:*:*:*:*:*:*:*:*

Python Software Foundation

>>python>>Versions from 3.6.0(inclusive) to 3.6.6(inclusive)

cpe:2.3:a:python:python:*:*:*:*:*:*:*:*

Python Software Foundation

>>python>>3.7.0

cpe:2.3:a:python:python:3.7.0:*:*:*:*:*:*:*

Canonical Ltd.

>>ubuntu_linux>>12.04

cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:esm:*:*:*

Canonical Ltd.

>>ubuntu_linux>>14.04

cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:esm:*:*:*

Canonical Ltd.

>>ubuntu_linux>>16.04

cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*

Canonical Ltd.

>>ubuntu_linux>>18.04

cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*

Debian GNU/Linux

>>debian_linux>>8.0

cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*

Debian GNU/Linux

>>debian_linux>>9.0

cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*

Fedora Project

>>fedora>>30

cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*

openSUSE

>>leap>>15.1

cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*

Red Hat, Inc.

>>enterprise_linux_desktop>>7.0

cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*

Red Hat, Inc.

>>enterprise_linux_server>>7.0

cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*

Red Hat, Inc.

>>enterprise_linux_workstation>>7.0

cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*

Weaknesses

CWE ID	Type	Source
CWE-909	Primary	nvd@nist.gov
CWE-335	Secondary	secalert@redhat.com
CWE-665	Secondary	secalert@redhat.com

References

Hyperlink	Source	Resource
http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00040.html	secalert@redhat.com	Mailing List Third Party Advisory
http://www.securityfocus.com/bid/105396	secalert@redhat.com	Third Party Advisory VDB Entry
http://www.securitytracker.com/id/1041740	secalert@redhat.com	Third Party Advisory VDB Entry
https://access.redhat.com/errata/RHSA-2019:1260	secalert@redhat.com	Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:2030	secalert@redhat.com	Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:3725	secalert@redhat.com	Third Party Advisory
https://bugs.python.org/issue34623	secalert@redhat.com	Issue Tracking Patch Vendor Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14647	secalert@redhat.com	Issue Tracking Third Party Advisory
https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0%40%3Cissues.bookkeeper.apache.org%3E	secalert@redhat.com	N/A
https://lists.debian.org/debian-lts-announce/2019/06/msg00022.html	secalert@redhat.com	Mailing List Third Party Advisory
https://lists.debian.org/debian-lts-announce/2019/06/msg00023.html	secalert@redhat.com	Mailing List Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RBJCB2HWOJLP3L7CUQHJHNBHLSVOXJE5/	secalert@redhat.com	N/A
https://usn.ubuntu.com/3817-1/	secalert@redhat.com	Third Party Advisory
https://usn.ubuntu.com/3817-2/	secalert@redhat.com	Third Party Advisory
https://www.debian.org/security/2018/dsa-4306	secalert@redhat.com	Third Party Advisory
https://www.debian.org/security/2018/dsa-4307	secalert@redhat.com	Third Party Advisory

CISA Catalog

Metrics

CPE Matches

Weaknesses

Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References

Change History