QwikSec

Security Database

CVE

CWE

Training

CVE Database
/

CVE-2018-14647

Back to search

CVE-2018-14647

Published: Sep 25, 2018

Modified: Aug 5, 2024

PUBLISHED

CVSS v3.0

5.3

MEDIUM

Description

Python's elementtree C accelerator failed to initialise Expat's hash salt during initialization. This could make it easy to conduct denial of service attacks against Expat by constructing an XML document that would cause pathological hash collisions in Expat's internal data structures, consuming large amounts CPU and RAM. The vulnerability exists in Python versions 3.7.0, 3.6.0 through 3.6.6, 3.5.0 through 3.5.6, 3.4.0 through 3.4.9, 2.7.0 through 2.7.15.

VendorProductVersions

The Python Project

Python

affected
3.8, 3.7, 3.6, 3.5, 3.4, 2.7

Weaknesses (CWE)

CWE-665
CWE-335

CVSS v3.0 Details

CVSS v3.0 Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

Low

References

DSA-4306
vendor-advisory
x_refsource_DEBIAN
USN-3817-2
vendor-advisory
x_refsource_UBUNTU
1041740
vdb-entry
x_refsource_SECTRACK
105396
vdb-entry
x_refsource_BID
DSA-4307
vendor-advisory
x_refsource_DEBIAN
USN-3817-1
vendor-advisory
x_refsource_UBUNTU
FEDORA-2019-0c91ce7b3c
vendor-advisory
x_refsource_FEDORA
RHSA-2019:1260
vendor-advisory
x_refsource_REDHAT
RHSA-2019:2030
vendor-advisory
x_refsource_REDHAT
RHSA-2019:3725
vendor-advisory
x_refsource_REDHAT
openSUSE-SU-2020:0086
vendor-advisory
x_refsource_SUSE

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now