CVE-2018-1000808

moderate-risk
Published 2018-10-08

Python Cryptographic Authority pyopenssl version Before 17.5.0 contains a CWE - 401 : Failure to Release Memory Before Removing Last Reference vulnerability in PKCS #12 Store that can result in Denial of service if memory runs low or is exhausted. This attack appear to be exploitable via Depends upon calling application, however it could be as simple as initiating a TLS connection. Anything that would cause the calling application to reload certificates from a PKCS #12 store.. This vulnerability appears to have been fixed in 17.5.0.

Do I need to act?

-
0.16% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
5
CVSS 5.9/10 Medium
NETWORK / HIGH complexity

Affected Products (7)

Pyopenssl

Affected Vendors

Redhat Canonical Pyopenssl Project

References (8)

http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00014.html
Third Party Advisory https://access.redhat.com/errata/RHSA-2019:0085
Patch https://github.com/pyca/pyopenssl/pull/723
Third Party Advisory https://usn.ubuntu.com/3813-1/
http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00014.html
Third Party Advisory https://access.redhat.com/errata/RHSA-2019:0085
Patch https://github.com/pyca/pyopenssl/pull/723
Third Party Advisory https://usn.ubuntu.com/3813-1/
33
/ 100
moderate-risk
Severity 18/34 · Moderate
Exploitability 1/34 · Minimal
Exposure 14/34 · Moderate