CVE-2018-1061

moderate-risk

Published 2018-06-19

python before versions 2.7.15, 3.4.9, 3.5.6rc1, 3.6.5rc1 and 3.7.0 is vulnerable to catastrophic backtracking in the difflib.IS_LINE_JUNK method. An attacker could use this flaw to cause denial of service.

Do I need to act?

1.5% chance of exploitation in next 30 days

EPSS score — moderate exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 6.5/10 Medium

NETWORK / LOW complexity

Affected Products (20)

Python

Debian Linux

Ansible Tower

Enterprise Linux Desktop

Enterprise Linux Server

Enterprise Linux Workstation

Ubuntu Linux

Affected Vendors

Debian Redhat Python Canonical Fedoraproject

References (42)

http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00040.html

Third Party Advisory http://www.securitytracker.com/id/1042001

Third Party Advisory https://access.redhat.com/errata/RHBA-2019:0327

Third Party Advisory https://access.redhat.com/errata/RHSA-2018:3041

Third Party Advisory https://access.redhat.com/errata/RHSA-2018:3505

https://access.redhat.com/errata/RHSA-2019:1260

https://access.redhat.com/errata/RHSA-2019:3725

Vendor Advisory https://bugs.python.org/issue32981

Issue Tracking https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-1061

Vendor Advisory https://docs.python.org/3.5/whatsnew/changelog.html#python-3-5-6-release-candida...

Vendor Advisory https://docs.python.org/3.6/whatsnew/changelog.html#python-3-6-5-release-candida...

Mailing List https://lists.debian.org/debian-lts-announce/2018/09/msg00030.html

Mailing List https://lists.debian.org/debian-lts-announce/2018/09/msg00031.html

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro...

https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpe...

Third Party Advisory https://usn.ubuntu.com/3817-1/

Third Party Advisory https://usn.ubuntu.com/3817-2/

Third Party Advisory https://www.debian.org/security/2018/dsa-4306

and 22 more references

/ 100

moderate-risk

Severity 24/34 · High

Exploitability 4/34 · Minimal

Exposure 21/34 · High