CVE-2018-14647

2018-09-2400:00:00

ubuntu.com

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

0.009

Percentile

82.8%

JSON

Python’s elementtree C accelerator failed to initialise Expat’s hash salt
during initialization. This could make it easy to conduct denial of service
attacks against Expat by constructing an XML document that would cause
pathological hash collisions in Expat’s internal data structures, consuming
large amounts CPU and RAM. The vulnerability exists in Python versions
3.7.0, 3.6.0 through 3.6.6, 3.5.0 through 3.5.6, 3.4.0 through 3.4.9, 2.7.0
through 2.7.15.

Bugs

OSVersionArchitecturePackageVersionFilename
ubuntu18.04noarchpython2.7< 2.7.15~rc1-1ubuntu0.1UNKNOWN
ubuntu14.04noarchpython2.7< 2.7.6-8ubuntu0.5UNKNOWN
ubuntu16.04noarchpython2.7< 2.7.12-1ubuntu0~16.04.4UNKNOWN
ubuntu14.04noarchpython3.4< 3.4.3-1ubuntu1~14.04.7UNKNOWN
ubuntu14.04noarchpython3.5< 3.5.2-2ubuntu0~16.04.4~14.04.1+esm1UNKNOWN
ubuntu16.04noarchpython3.5< 3.5.2-2ubuntu0~16.04.5UNKNOWN
ubuntu18.04noarchpython3.6< 3.6.7-1~18.04UNKNOWN
ubuntu18.04noarchpython3.7< 3.7.1-1~18.04UNKNOWN

OS	Version	Architecture	Package	Version	Filename
ubuntu	18.04	noarch	python2.7	< 2.7.15~rc1-1ubuntu0.1	UNKNOWN
ubuntu	14.04	noarch	python2.7	< 2.7.6-8ubuntu0.5	UNKNOWN
ubuntu	16.04	noarch	python2.7	< 2.7.12-1ubuntu0~16.04.4	UNKNOWN
ubuntu	14.04	noarch	python3.4	< 3.4.3-1ubuntu1~14.04.7	UNKNOWN
ubuntu	14.04	noarch	python3.5	< 3.5.2-2ubuntu0~16.04.4~14.04.1+esm1	UNKNOWN
ubuntu	16.04	noarch	python3.5	< 3.5.2-2ubuntu0~16.04.5	UNKNOWN
ubuntu	18.04	noarch	python3.6	< 3.6.7-1~18.04	UNKNOWN
ubuntu	18.04	noarch	python3.7	< 3.7.1-1~18.04	UNKNOWN