Vulnerability in The Python Project
CVE-2018-14647
Python's elementtree C accelerator failed to initialise Expat's hash salt during initialization. This could make it easy to conduct denial of service attacks against Expat by constructing an XML document that would cause pathological hash…
Vulnerability class: Dirty Pipe (CVE-2022-0847)
EPSS: 0.012 (79.7th percentile) — read the EPSS interpretation.
CVSS v3 metric
CVSS v3 base score 5.3 (Medium). Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L.
Affected products
- The Python Project — versions 3.8, 3.7, 3.6, 3.5, 3.4, 2.7
Weakness classification (CWE)
References
- DSA-4306 (vendor-advisory, x_refsource_DEBIAN)
- USN-3817-2 (x_refsource_UBUNTU, vendor-advisory)
- 1041740 (vdb-entry, x_refsource_SECTRACK)
- 105396 (vdb-entry, x_refsource_BID)
- DSA-4307 (vendor-advisory, x_refsource_DEBIAN)
- bugs.python.org/issue34623 (x_refsource_MISC)
- USN-3817-1 (x_refsource_UBUNTU, vendor-advisory)
- bugzilla.redhat.com/show_bug.cgi (x_refsource_CONFIRM)
- FEDORA-2019-0c91ce7b3c (x_refsource_FEDORA, vendor-advisory)
- RHSA-2019:1260 (x_refsource_REDHAT, vendor-advisory)
Frequently asked questions
- What is CVE-2018-14647?
- CVE-2018-14647 is a medium-severity vulnerability in The Python Project, classified under Improper Initialization. CVSS score: 5.3/10. Published 2018-09-25.
- How severe is CVE-2018-14647?
- Medium severity. CVSS v3 base score is 5.3 out of 10.