CVE-2018-1000802
high-risk
Published 2018-09-18
Python Software Foundation Python (CPython) version 2.7 contains a CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in shutil module (make_archive function) that can result in Denial of service, Information gain via injection of arbitrary files on the system or entire drive. This attack appear to be exploitable via Passage of unfiltered user input to the function. This vulnerability appears to have been fixed in after commit add531a1e55b0a739b0f42582f1c9747e5649ace.
Do I need to act?
!
22.3% chance of exploitation in next 30 days
EPSS score — higher than 78% of all CVEs
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
9
CVSS 9.8/10
Critical
NETWORK
/ LOW complexity
Affected Products (8)
References (22)
Issue Tracking
https://bugs.python.org/issue34540
Third Party Advisory
https://usn.ubuntu.com/3817-1/
Third Party Advisory
https://usn.ubuntu.com/3817-2/
Third Party Advisory
https://www.debian.org/security/2018/dsa-4306
Issue Tracking
https://bugs.python.org/issue34540
Third Party Advisory
https://usn.ubuntu.com/3817-1/
and 2 more references
60
/ 100
high-risk
Severity
32/34 · Critical
Exploitability
14/34 · Moderate
Exposure
14/34 · Moderate