CVE-2018-14647

moderate-risk

Published 2018-09-25

Python's elementtree C accelerator failed to initialise Expat's hash salt during initialization. This could make it easy to conduct denial of service attacks against Expat by constructing an XML document that would cause pathological hash collisions in Expat's internal data structures, consuming large amounts CPU and RAM. The vulnerability exists in Python versions 3.7.0, 3.6.0 through 3.6.6, 3.5.0 through 3.5.6, 3.4.0 through 3.4.9, 2.7.0 through 2.7.15.

Do I need to act?

1.6% chance of exploitation in next 30 days

EPSS score — moderate exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 7.5/10 High

NETWORK / LOW complexity

Affected Products (13)

Python

Ubuntu Linux

Debian Linux

Fedora

Leap

Enterprise Linux Desktop

Enterprise Linux Server

Enterprise Linux Workstation

Affected Vendors

Debian Redhat Python Canonical Fedoraproject Opensuse

References (32)

Mailing List http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00040.html

Third Party Advisory http://www.securityfocus.com/bid/105396

Third Party Advisory http://www.securitytracker.com/id/1041740

Third Party Advisory https://access.redhat.com/errata/RHSA-2019:1260

Third Party Advisory https://access.redhat.com/errata/RHSA-2019:2030

Third Party Advisory https://access.redhat.com/errata/RHSA-2019:3725

Issue Tracking https://bugs.python.org/issue34623

Issue Tracking https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14647

https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab...

Mailing List https://lists.debian.org/debian-lts-announce/2019/06/msg00022.html

Mailing List https://lists.debian.org/debian-lts-announce/2019/06/msg00023.html

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro...

Third Party Advisory https://usn.ubuntu.com/3817-1/

Third Party Advisory https://usn.ubuntu.com/3817-2/

Third Party Advisory https://www.debian.org/security/2018/dsa-4306

Third Party Advisory https://www.debian.org/security/2018/dsa-4307

Mailing List http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00040.html

Third Party Advisory http://www.securityfocus.com/bid/105396

Third Party Advisory http://www.securitytracker.com/id/1041740

Third Party Advisory https://access.redhat.com/errata/RHSA-2019:1260

and 12 more references

/ 100

moderate-risk

Severity 26/34 · High

Exploitability 4/34 · Minimal

Exposure 17/34 · Moderate