{"containers": {"cna": {"affected": [{"product": "Python", "vendor": "The Python Project", "versions": [{"status": "affected", "version": "3.8, 3.7, 3.6, 3.5, 3.4, 2.7"}]}], "datePublic": "2018-09-21T00:00:00", "descriptions": [{"lang": "en", "value": "Python's elementtree C accelerator failed to initialise Expat's hash salt during initialization. This could make it easy to conduct denial of service attacks against Expat by constructing an XML document that would cause pathological hash collisions in Expat's internal data structures, consuming large amounts CPU and RAM. The vulnerability exists in Python versions 3.7.0, 3.6.0 through 3.6.6, 3.5.0 through 3.5.6, 3.4.0 through 3.4.9, 2.7.0 through 2.7.15."}], "metrics": [{"cvssV3_0": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.0"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-665", "description": "CWE-665", "lang": "en", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-335", "description": "CWE-335", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2020-07-29T11:06:41", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"name": "DSA-4306", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "https://www.debian.org/security/2018/dsa-4306"}, {"name": "USN-3817-2", "tags": ["vendor-advisory", "x_refsource_UBUNTU"], "url": "https://usn.ubuntu.com/3817-2/"}, {"name": "1041740", "tags": ["vdb-entry", "x_refsource_SECTRACK"], "url": "http://www.securitytracker.com/id/1041740"}, {"name": "105396", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/105396"}, {"name": "DSA-4307", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "https://www.debian.org/security/2018/dsa-4307"}, {"tags": ["x_refsource_MISC"], "url": "https://bugs.python.org/issue34623"}, {"name": "USN-3817-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU"], "url": "https://usn.ubuntu.com/3817-1/"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14647"}, {"name": "FEDORA-2019-0c91ce7b3c", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RBJCB2HWOJLP3L7CUQHJHNBHLSVOXJE5/"}, {"name": "RHSA-2019:1260", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2019:1260"}, {"name": "[debian-lts-announce] 20190625 [SECURITY] [DLA 1834-1] python2.7 security update", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.debian.org/debian-lts-announce/2019/06/msg00022.html"}, {"name": "[debian-lts-announce] 20190625 [SECURITY] [DLA 1835-1] python3.4 security update", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.debian.org/debian-lts-announce/2019/06/msg00023.html"}, {"name": "RHSA-2019:2030", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2019:2030"}, {"name": "RHSA-2019:3725", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2019:3725"}, {"name": "openSUSE-SU-2020:0086", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00040.html"}, {"name": "[bookkeeper-issues] 20200729 [GitHub] [bookkeeper] padma81 opened a new issue #2387: Security vulnerabilities in the apache/bookkeeper-4.9.2 image", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0%40%3Cissues.bookkeeper.apache.org%3E"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "secalert@redhat.com", "ID": "CVE-2018-14647", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Python", "version": {"version_data": [{"version_value": "3.8, 3.7, 3.6, 3.5, 3.4, 2.7"}]}}]}, "vendor_name": "The Python Project"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Python's elementtree C accelerator failed to initialise Expat's hash salt during initialization. This could make it easy to conduct denial of service attacks against Expat by constructing an XML document that would cause pathological hash collisions in Expat's internal data structures, consuming large amounts CPU and RAM. The vulnerability exists in Python versions 3.7.0, 3.6.0 through 3.6.6, 3.5.0 through 3.5.6, 3.4.0 through 3.4.9, 2.7.0 through 2.7.15."}]}, "impact": {"cvss": [[{"vectorString": "5.3/CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.0"}]]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-665"}]}, {"description": [{"lang": "eng", "value": "CWE-335"}]}]}, "references": {"reference_data": [{"name": "DSA-4306", "refsource": "DEBIAN", "url": "https://www.debian.org/security/2018/dsa-4306"}, {"name": "USN-3817-2", "refsource": "UBUNTU", "url": "https://usn.ubuntu.com/3817-2/"}, {"name": "1041740", "refsource": "SECTRACK", "url": "http://www.securitytracker.com/id/1041740"}, {"name": "105396", "refsource": "BID", "url": "http://www.securityfocus.com/bid/105396"}, {"name": "DSA-4307", "refsource": "DEBIAN", "url": "https://www.debian.org/security/2018/dsa-4307"}, {"name": "https://bugs.python.org/issue34623", "refsource": "MISC", "url": "https://bugs.python.org/issue34623"}, {"name": "USN-3817-1", "refsource": "UBUNTU", "url": "https://usn.ubuntu.com/3817-1/"}, {"name": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14647", "refsource": "CONFIRM", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14647"}, {"name": "FEDORA-2019-0c91ce7b3c", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RBJCB2HWOJLP3L7CUQHJHNBHLSVOXJE5/"}, {"name": "RHSA-2019:1260", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2019:1260"}, {"name": "[debian-lts-announce] 20190625 [SECURITY] [DLA 1834-1] python2.7 security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2019/06/msg00022.html"}, {"name": "[debian-lts-announce] 20190625 [SECURITY] [DLA 1835-1] python3.4 security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2019/06/msg00023.html"}, {"name": "RHSA-2019:2030", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2019:2030"}, {"name": "RHSA-2019:3725", "refsource": "REDHAT", "url": "https://access.redhat.com/errata/RHSA-2019:3725"}, {"name": "openSUSE-SU-2020:0086", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00040.html"}, {"name": "[bookkeeper-issues] 20200729 [GitHub] [bookkeeper] padma81 opened a new issue #2387: Security vulnerabilities in the apache/bookkeeper-4.9.2 image", "refsource": "MLIST", "url": "https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0@%3Cissues.bookkeeper.apache.org%3E"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T09:38:13.104Z"}, "title": "CVE Program Container", "references": [{"name": "DSA-4306", "tags": ["vendor-advisory", "x_refsource_DEBIAN", "x_transferred"], "url": "https://www.debian.org/security/2018/dsa-4306"}, {"name": "USN-3817-2", "tags": ["vendor-advisory", "x_refsource_UBUNTU", "x_transferred"], "url": "https://usn.ubuntu.com/3817-2/"}, {"name": "1041740", "tags": ["vdb-entry", "x_refsource_SECTRACK", "x_transferred"], "url": "http://www.securitytracker.com/id/1041740"}, {"name": "105396", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/105396"}, {"name": "DSA-4307", "tags": ["vendor-advisory", "x_refsource_DEBIAN", "x_transferred"], "url": "https://www.debian.org/security/2018/dsa-4307"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://bugs.python.org/issue34623"}, {"name": "USN-3817-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU", "x_transferred"], "url": "https://usn.ubuntu.com/3817-1/"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14647"}, {"name": "FEDORA-2019-0c91ce7b3c", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RBJCB2HWOJLP3L7CUQHJHNBHLSVOXJE5/"}, {"name": "RHSA-2019:1260", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2019:1260"}, {"name": "[debian-lts-announce] 20190625 [SECURITY] [DLA 1834-1] python2.7 security update", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2019/06/msg00022.html"}, {"name": "[debian-lts-announce] 20190625 [SECURITY] [DLA 1835-1] python3.4 security update", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2019/06/msg00023.html"}, {"name": "RHSA-2019:2030", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2019:2030"}, {"name": "RHSA-2019:3725", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2019:3725"}, {"name": "openSUSE-SU-2020:0086", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00040.html"}, {"name": "[bookkeeper-issues] 20200729 [GitHub] [bookkeeper] padma81 opened a new issue #2387: Security vulnerabilities in the apache/bookkeeper-4.9.2 image", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0%40%3Cissues.bookkeeper.apache.org%3E"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2018-14647", "datePublished": "2018-09-25T00:00:00", "dateReserved": "2018-07-27T00:00:00", "dateUpdated": "2024-08-05T09:38:13.104Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:python:python:*:*:*:*:*:*:*:*", "matchCriteriaId": "94262449-D8AB-4E63-A5FC-B7C17E4D791F", "versionEndIncluding": "2.7.15", "versionStartIncluding": "2.7.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:python:python:*:*:*:*:*:*:*:*", "matchCriteriaId": "3C3AAFC0-A226-4B50-96DD-70575F01EBE9", "versionEndIncluding": "3.4.9", "versionStartIncluding": "3.4.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:python:python:*:*:*:*:*:*:*:*", "matchCriteriaId": "7FD0A700-77B7-402B-8467-B7BD4B7A14AF", "versionEndIncluding": "3.5.6", "versionStartIncluding": "3.5.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:python:python:*:*:*:*:*:*:*:*", "matchCriteriaId": "050ED9B4-4574-4608-A3E6-A7DD218CF813", "versionEndIncluding": "3.6.6", "versionStartIncluding": "3.6.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:python:python:3.7.0:*:*:*:*:*:*:*", "matchCriteriaId": "88AADB15-74A7-447E-B8EF-E60C2A627BC9", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:esm:*:*:*", "matchCriteriaId": "8D305F7A-D159-4716-AB26-5E38BB5CD991", "vulnerable": true}, {"criteria": "cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:esm:*:*:*", "matchCriteriaId": "815D70A8-47D3-459C-A32C-9FEACA0659D1", "vulnerable": true}, {"criteria": "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*", "matchCriteriaId": "F7016A2A-8365-4F1A-89A2-7A19F2BCAE5B", "vulnerable": true}, {"criteria": "cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*", "matchCriteriaId": "23A7C53F-B80F-4E6A-AFA9-58EEA84BE11D", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "matchCriteriaId": "C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43", "vulnerable": true}, {"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*", "matchCriteriaId": "97A4B8DF-58DA-4AB6-A1F9-331B36409BA3", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*", "matchCriteriaId": "B620311B-34A3-48A6-82DF-6F078D7A4493", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*", "matchCriteriaId": "33C068A4-3780-4EAB-A937-6082DF847564", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*", "matchCriteriaId": "51EF4996-72F4-4FA4-814F-F5991E7A8318", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*", "matchCriteriaId": "825ECE2D-E232-46E0-A047-074B34DB1E97", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Python's elementtree C accelerator failed to initialise Expat's hash salt during initialization. This could make it easy to conduct denial of service attacks against Expat by constructing an XML document that would cause pathological hash collisions in Expat's internal data structures, consuming large amounts CPU and RAM. The vulnerability exists in Python versions 3.7.0, 3.6.0 through 3.6.6, 3.5.0 through 3.5.6, 3.4.0 through 3.4.9, 2.7.0 through 2.7.15."}, {"lang": "es", "value": "El acelerador de C elementtree en Python no inicializa la sal del hash Expat durante la inicializaci\u00f3n. Esto podr\u00eda facilitar llevar a cabo ataques de denegaci\u00f3n de servicio (DoS) contra Expat construyendo un documento XML que provocar\u00eda colisiones de hashes en las estructuras internas de datos de Expat, consumiendo grandes cantidades de CPU y RAM. La vulnerabilidad existe en Python versi\u00f3n 3.7.0, versiones 3.6.0 a 3.6.6, versiones 3.5.0 a 3.5.6, versiones 3.4.0 a 3.4.9, versiones 2.7.0 a 2.7.15."}], "id": "CVE-2018-14647", "lastModified": "2024-11-21T03:49:30.067", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "secalert@redhat.com", "type": "Secondary"}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2018-09-25T00:29:00.703", "references": [{"source": "secalert@redhat.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00040.html"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/105396"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securitytracker.com/id/1041740"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2019:1260"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2019:2030"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2019:3725"}, {"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Patch", "Vendor Advisory"], "url": "https://bugs.python.org/issue34623"}, {"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14647"}, {"source": "secalert@redhat.com", "url": "https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0%40%3Cissues.bookkeeper.apache.org%3E"}, {"source": "secalert@redhat.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2019/06/msg00022.html"}, {"source": "secalert@redhat.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2019/06/msg00023.html"}, {"source": "secalert@redhat.com", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RBJCB2HWOJLP3L7CUQHJHNBHLSVOXJE5/"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "https://usn.ubuntu.com/3817-1/"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "https://usn.ubuntu.com/3817-2/"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "https://www.debian.org/security/2018/dsa-4306"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "https://www.debian.org/security/2018/dsa-4307"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00040.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/105396"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securitytracker.com/id/1041740"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2019:1260"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2019:2030"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2019:3725"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Patch", "Vendor Advisory"], "url": "https://bugs.python.org/issue34623"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14647"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0%40%3Cissues.bookkeeper.apache.org%3E"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2019/06/msg00022.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2019/06/msg00023.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RBJCB2HWOJLP3L7CUQHJHNBHLSVOXJE5/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://usn.ubuntu.com/3817-1/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://usn.ubuntu.com/3817-2/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://www.debian.org/security/2018/dsa-4306"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://www.debian.org/security/2018/dsa-4307"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-335"}, {"lang": "en", "value": "CWE-665"}], "source": "secalert@redhat.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-909"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"acknowledgement": "Red Hat would like to thank the Python Security Response Team for reporting this issue.", "affected_release": [{"advisory": "RHBA-2020:0547", "cpe": "cpe:/a:redhat:ansible_tower:3.4::el7", "package": "ansible-tower-34/ansible-tower-memcached:1.4.15-28", "product_name": "Red Hat Ansible Tower 3.4 for RHEL 7", "release_date": "2020-02-18T00:00:00Z"}, {"advisory": "RHBA-2020:0547", "cpe": "cpe:/a:redhat:ansible_tower:3.4::el7", "package": "ansible-tower-35/ansible-tower-memcached:1.4.15-28", "product_name": "Red Hat Ansible Tower 3.4 for RHEL 7", "release_date": "2020-02-18T00:00:00Z"}, {"advisory": "RHBA-2020:0547", "cpe": "cpe:/a:redhat:ansible_tower:3.4::el7", "package": "ansible-tower-37/ansible-tower-memcached-rhel7:1.4.15-28", "product_name": "Red Hat Ansible Tower 3.4 for RHEL 7", "release_date": "2020-02-18T00:00:00Z"}, {"advisory": "RHSA-2019:2030", "cpe": "cpe:/o:redhat:enterprise_linux:7", "package": "python-0:2.7.5-86.el7", "product_name": "Red Hat Enterprise Linux 7", "release_date": "2019-08-06T00:00:00Z"}, {"advisory": "RHSA-2020:1346", "cpe": "cpe:/o:redhat:rhel_aus:7.4", "package": "python-0:2.7.5-63.el7_4", "product_name": "Red Hat Enterprise Linux 7.4 Advanced Update Support", "release_date": "2020-04-07T00:00:00Z"}, {"advisory": "RHSA-2020:1346", "cpe": "cpe:/o:redhat:rhel_tus:7.4", "package": "python-0:2.7.5-63.el7_4", "product_name": "Red Hat Enterprise Linux 7.4 Telco Extended Update Support", "release_date": "2020-04-07T00:00:00Z"}, {"advisory": "RHSA-2020:1346", "cpe": "cpe:/o:redhat:rhel_e4s:7.4", "package": "python-0:2.7.5-63.el7_4", "product_name": "Red Hat Enterprise Linux 7.4 Update Services for SAP Solutions", "release_date": "2020-04-07T00:00:00Z"}, {"advisory": "RHSA-2020:1268", "cpe": "cpe:/o:redhat:rhel_eus:7.5", "package": "python-0:2.7.5-74.el7_5", "product_name": "Red Hat Enterprise Linux 7.5 Extended Update Support", "release_date": "2020-04-01T00:00:00Z"}, {"advisory": "RHSA-2020:1462", "cpe": "cpe:/o:redhat:rhel_eus:7.6", "package": "python-0:2.7.5-83.el7_6", "product_name": "Red Hat Enterprise Linux 7.6 Extended Update Support", "release_date": "2020-04-14T00:00:00Z"}, {"advisory": "RHSA-2019:1260", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el6", "package": "python27-python-0:2.7.16-4.el6", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 6", "release_date": "2019-05-22T00:00:00Z"}, {"advisory": "RHSA-2019:1260", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el6", "package": "python27-python-jinja2-0:2.6-12.el6", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 6", "release_date": "2019-05-22T00:00:00Z"}, {"advisory": "RHSA-2019:3725", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el6", "package": "rh-python36-python-0:3.6.9-2.el6", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 6", "release_date": "2019-11-06T00:00:00Z"}, {"advisory": "RHSA-2019:1260", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "python27-python-0:2.7.16-4.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date": "2019-05-22T00:00:00Z"}, {"advisory": "RHSA-2019:1260", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "python27-python-jinja2-0:2.6-15.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date": "2019-05-22T00:00:00Z"}, {"advisory": "RHSA-2019:3725", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-python36-python-0:3.6.9-2.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date": "2019-11-06T00:00:00Z"}, {"advisory": "RHSA-2019:1260", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "python27-python-0:2.7.16-4.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS", "release_date": "2019-05-22T00:00:00Z"}, {"advisory": "RHSA-2019:1260", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "python27-python-jinja2-0:2.6-15.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS", "release_date": "2019-05-22T00:00:00Z"}, {"advisory": "RHSA-2019:1260", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "python27-python-0:2.7.16-4.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS", "release_date": "2019-05-22T00:00:00Z"}, {"advisory": "RHSA-2019:1260", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "python27-python-jinja2-0:2.6-15.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS", "release_date": "2019-05-22T00:00:00Z"}, {"advisory": "RHSA-2019:3725", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-python36-python-0:3.6.9-2.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS", "release_date": "2019-11-06T00:00:00Z"}, {"advisory": "RHSA-2019:1260", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "python27-python-0:2.7.16-4.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS", "release_date": "2019-05-22T00:00:00Z"}, {"advisory": "RHSA-2019:1260", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "python27-python-jinja2-0:2.6-15.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS", "release_date": "2019-05-22T00:00:00Z"}, {"advisory": "RHSA-2019:3725", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-python36-python-0:3.6.9-2.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS", "release_date": "2019-11-06T00:00:00Z"}, {"advisory": "RHSA-2019:3725", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-python36-python-0:3.6.9-2.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS", "release_date": "2019-11-06T00:00:00Z"}], "bugzilla": {"description": "python: Missing salt initialization in _elementtree.c module", "id": "1631822", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1631822"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.3", "cvss3_scoring_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "status": "verified"}, "cwe": "CWE-665->CWE-335", "details": ["Python's elementtree C accelerator failed to initialise Expat's hash salt during initialization. This could make it easy to conduct denial of service attacks against Expat by constructing an XML document that would cause pathological hash collisions in Expat's internal data structures, consuming large amounts CPU and RAM. The vulnerability exists in Python versions 3.7.0, 3.6.0 through 3.6.6, 3.5.0 through 3.5.6, 3.4.0 through 3.4.9, 2.7.0 through 2.7.15.", "Python's elementtree C accelerator failed to initialise Expat's hash salt during initialization. This could make it easy to conduct denial of service attacks against Expat by contructing an XML document that would cause pathological hash collisions in Expat's internal data structures, consuming large amounts CPU and RAM."], "name": "CVE-2018-14647", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:5", "fix_state": "Will not fix", "package_name": "python", "product_name": "Red Hat Enterprise Linux 5"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Will not fix", "package_name": "python", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "python27:2.7/python2", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "python3", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "python36:3.6/python36", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/a:redhat:rhel_software_collections:3", "fix_state": "Will not fix", "package_name": "rh-python35-python", "product_name": "Red Hat Software Collections"}], "public_date": "2018-09-22T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2018-14647\nhttps://nvd.nist.gov/vuln/detail/CVE-2018-14647\nhttps://bugs.python.org/issue34623"], "threat_severity": "Moderate"}