CVE-2018-1061

MEDIUM

Description

python before versions 2.7.15, 3.4.9, 3.5.6rc1, 3.6.5rc1 and 3.7.0 is vulnerable to catastrophic backtracking in the difflib.IS_LINE_JUNK method. An attacker could use this flaw to cause denial of service.

References

http://www.securitytracker.com/id/1042001

https://access.redhat.com/errata/RHBA-2019:0327

https://access.redhat.com/errata/RHSA-2018:3041

https://access.redhat.com/errata/RHSA-2018:3505

https://access.redhat.com/errata/RHSA-2019:1260

https://bugs.python.org/issue32981

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-1061

https://docs.python.org/3.5/whatsnew/changelog.html#python-3-5-6-release-candidate-1

https://docs.python.org/3.6/whatsnew/changelog.html#python-3-6-5-release-candidate-1

https://lists.debian.org/debian-lts-announce/2018/09/msg00030.html

https://lists.debian.org/debian-lts-announce/2018/09/msg00031.html

https://lists.fedoraproject.org/archives/list/[email protected]/message/46PVWY5LFP4BRPG3BVQ5QEEFYBVEXHCK/

https://lists.fedoraproject.org/archives/list/[email protected]/message/AEZ5IQT7OF7Q2NCGIVABOWYGKO7YU3NJ/

https://lists.fedoraproject.org/archives/list/[email protected]/message/JSKPGPZQNTAULHW4UH63KGOOUIDE4RRB/

https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbst03951en_us

https://usn.ubuntu.com/3817-1/

https://usn.ubuntu.com/3817-2/

https://www.debian.org/security/2018/dsa-4306

https://www.debian.org/security/2018/dsa-4307

Details

Source: MITRE

Published: 2018-06-19

Updated: 2019-10-03

Risk Information

CVSS v2.0

Base Score: 5

Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P

Impact Score: 2.9

Exploitability Score: 10

Severity: MEDIUM

CVSS v3.0

Base Score: 7.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Impact Score: 3.6

Exploitability Score: 3.9

Severity: HIGH

Vulnerable Software

Configuration 1

OR

cpe:2.3:a:python:python:*:*:*:*:*:*:*:*

cpe:2.3:a:python:python:*:*:*:*:*:*:*:*

cpe:2.3:a:python:python:*:*:*:*:*:*:*:* versions from 3.5.0 to 3.5.5 (inclusive)

cpe:2.3:a:python:python:*:*:*:*:*:*:*:* versions from 3.6 to 3.6.4 (inclusive)

cpe:2.3:a:python:python:3.7.0:alpha1:*:*:*:*:*:*

cpe:2.3:a:python:python:3.7.0:alpha2:*:*:*:*:*:*

cpe:2.3:a:python:python:3.7.0:alpha3:*:*:*:*:*:*

cpe:2.3:a:python:python:3.7.0:alpha4:*:*:*:*:*:*

cpe:2.3:a:python:python:3.7.0:beta1:*:*:*:*:*:*

cpe:2.3:a:python:python:3.7.0:beta2:*:*:*:*:*:*

cpe:2.3:a:python:python:3.7.0:beta3:*:*:*:*:*:*

cpe:2.3:a:python:python:3.7.0:beta4:*:*:*:*:*:*

cpe:2.3:a:python:python:3.7.0:beta5:*:*:*:*:*:*

cpe:2.3:a:python:python:3.7.0:rc1:*:*:*:*:*:*

Configuration 2

OR

cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*

cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*

Configuration 3

OR

cpe:2.3:a:redhat:ansible_tower:3.3:*:*:*:*:*:*:*

cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*

cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*

cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*

Configuration 4

OR

cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:esm:*:*:*

cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*

cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*

cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*

Configuration 5

OR

cpe:2.3:o:fedoraproject:fedora:28:*:*:*:*:*:*:*

cpe:2.3:o:fedoraproject:fedora:29:*:*:*:*:*:*:*

cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*

Tenable Plugins

View all (41 total)

IDNameProductFamilySeverity
135247RHEL 7 : python (RHSA-2020:1346)NessusRed Hat Local Security Checks
medium
135089RHEL 7 : python (RHSA-2020:1268)NessusRed Hat Local Security Checks
medium
133259SUSE SLED15 / SLES15 Security Update : python (SUSE-SU-2020:0234-1) (BEAST) (httpoxy)NessusSuSE Local Security Checks
critical
133172openSUSE Security Update : python3 (openSUSE-2020-86) (BEAST) (httpoxy)NessusSuSE Local Security Checks
critical
133036SUSE SLED15 / SLES15 Security Update : python3 (SUSE-SU-2020:0114-1) (BEAST) (httpoxy)NessusSuSE Local Security Checks
critical
127255NewStart CGSL CORE 5.04 / MAIN 5.04 : python Multiple Vulnerabilities (NS-SA-2019-0061)NessusNewStart CGSL Local Security Checks
medium
126383Amazon Linux 2 : python (ALAS-2019-1230)NessusAmazon Linux Local Security Checks
medium
124937EulerOS Virtualization 3.0.1.0 : python (EulerOS-SA-2019-1434)NessusHuawei Local Security Checks
critical
124906EulerOS Virtualization for ARM 64 3.0.1.0 : python (EulerOS-SA-2019-1403)NessusHuawei Local Security Checks
medium
124623EulerOS 2.0 SP3 : python (EulerOS-SA-2019-1337)NessusHuawei Local Security Checks
medium
124492Fedora 30 : python35 (2019-51f1e08207)NessusFedora Local Security Checks
medium
123716EulerOS Virtualization 2.5.4 : python (EulerOS-SA-2019-1248)NessusHuawei Local Security Checks
medium
123714EulerOS Virtualization 2.5.3 : python (EulerOS-SA-2019-1246)NessusHuawei Local Security Checks
medium
123480Fedora 28 : python35 (2019-cf725dd20b)NessusFedora Local Security Checks
medium
123140Fedora 29 : python35 (2019-6e1938a3c5)NessusFedora Local Security Checks
medium
122695EulerOS 2.0 SP5 : python (EulerOS-SA-2019-1072)NessusHuawei Local Security Checks
medium
122382EulerOS 2.0 SP2 : python (EulerOS-SA-2019-1055)NessusHuawei Local Security Checks
medium
121985Photon OS 2.0: Python2 PHSA-2018-2.0-0086NessusPhotonOS Local Security Checks
medium
121881Photon OS 1.0: Python3 PHSA-2018-1.0-0178NessusPhotonOS Local Security Checks
medium
121880Photon OS 1.0: Python2 PHSA-2018-1.0-0178NessusPhotonOS Local Security Checks
medium
119571SUSE SLED12 / SLES12 Security Update : python, python-base (SUSE-SU-2018:3554-2)NessusSuSE Local Security Checks
high
119467Amazon Linux AMI : python27 (ALAS-2018-1108)NessusAmazon Linux Local Security Checks
medium
119196Scientific Linux Security Update : python on SL7.x x86_64 (20181030)NessusScientific Linux Local Security Checks
medium
118984CentOS 7 : python (CESA-2018:3041)NessusCentOS Local Security Checks
medium
118954Ubuntu 14.04 LTS / 16.04 LTS / 18.04 LTS : Python vulnerabilities (USN-3817-1)NessusUbuntu Local Security Checks
high
118869openSUSE Security Update : python / python-base (openSUSE-2018-1363)NessusSuSE Local Security Checks
high
118763Oracle Linux 7 : python (ELSA-2018-3041)NessusOracle Linux Local Security Checks
medium
118515RHEL 7 : python (RHSA-2018:3041)NessusRed Hat Local Security Checks
medium
118501SUSE SLED12 / SLES12 Security Update : python, python-base (SUSE-SU-2018:3554-1)NessusSuSE Local Security Checks
high
117838Debian DSA-4307-1 : python3.5 - security updateNessusDebian Local Security Checks
high
117812Debian DSA-4306-1 : python2.7 - security updateNessusDebian Local Security Checks
high
117713Debian DLA-1520-1 : python3.4 security updateNessusDebian Local Security Checks
high
117712Debian DLA-1519-1 : python2.7 security updateNessusDebian Local Security Checks
high
117516openSUSE Security Update : python3 (openSUSE-2018-1001)NessusSuSE Local Security Checks
medium
117478SUSE SLED12 / SLES12 Security Update : python3 (SUSE-SU-2018:2696-1)NessusSuSE Local Security Checks
medium
112224Photon OS 2.0: Docker / Python2 / Strongswan PHSA-2018-2.0-0086 (deprecated)NessusPhotonOS Local Security Checks
medium
112221Photon OS 1.0: Postgresql / Python2 / Python3 / Strongswan PHSA-2018-1.0-0178 (deprecated)NessusPhotonOS Local Security Checks
medium
112012SUSE SLES11 Security Update : python (SUSE-SU-2018:2408-1)NessusSuSE Local Security Checks
critical
109594FreeBSD : python 2.7 -- multiple vulnerabilities (8719b935-8bae-41ad-92ba-3c826f651219)NessusFreeBSD Local Security Checks
high
109583Slackware 14.0 / 14.1 / 14.2 / current : python (SSA:2018-124-01)NessusSlackware Local Security Checks
high
109368Amazon Linux AMI : python34 / python35,python36,python27 (ALAS-2018-1003)NessusAmazon Linux Local Security Checks
medium