CVE-2018-14647
python3.4 - security update
7.5
HIGH
CVSS 3.1
EPSS 1.2%
Description
Python's elementtree C accelerator failed to initialise Expat's hash salt during initialization. This could make it easy to conduct denial of service attacks against Expat by constructing an XML document that would cause pathological hash collisions in Expat's internal data structures, consuming large amounts CPU and RAM. The vulnerability exists in Python versions 3.7.0, 3.6.0 through 3.6.6, 3.5.0 through 3.5.6, 3.4.0 through 3.4.9, 2.7.0 through 2.7.15.
How to fix CVE-2018-14647
To remediate CVE-2018-14647, upgrade the affected package to a fixed version below.
- —upgrade to 2.7.16-r0 or later
- —upgrade to 3.6.8-r0 or later
- —upgrade to 2.7.15-5 or later
- —upgrade to 2.7.9-2+deb8u3 or later
- —upgrade to 3.4.2-1+deb8u3 or later
Is CVE-2018-14647 being exploited?
Low — EPSS is 1.2%, meaning exploitation activity has not been observed at scale.
Affected packages (5)
- from 0, < 2.7.16-r0
- from 0, < 3.6.8-r0
- from 0, < 2.7.15-5
- from 0, < 2.7.9-2+deb8u3
- from 0, < 3.4.2-1+deb8u3
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |