CVE Vulnerabilities

CVE-2018-14647

Missing Initialization of Resource

Published: Sep 25, 2018 | Modified: Nov 07, 2023
CVSS 3.x
7.5
HIGH
Source:
NVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVSS 2.x
5 MEDIUM
AV:N/AC:L/Au:N/C:N/I:N/A:P
RedHat/V2
RedHat/V3
Ubuntu

Pythons elementtree C accelerator failed to initialise Expats hash salt during initialization. This could make it easy to conduct denial of service attacks against Expat by constructing an XML document that would cause pathological hash collisions in Expats internal data structures, consuming large amounts CPU and RAM. The vulnerability exists in Python versions 3.7.0, 3.6.0 through 3.6.6, 3.5.0 through 3.5.6, 3.4.0 through 3.4.9, 2.7.0 through 2.7.15.

Weakness

The product does not initialize a critical resource.

Affected Software

Name Vendor Start Version End Version
Python Python 3.5.0 3.5.6
Python Python 2.7.0 2.7.15
Python Python 3.7.0 3.7.0
Python Python 3.4.0 3.4.9
Python Python 3.6.0 3.6.6

Potential Mitigations

References