CVE-2018-1061

high
New! CVE Severity Now Using CVSS v3

The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Description

python before versions 2.7.15, 3.4.9, 3.5.6rc1, 3.6.5rc1 and 3.7.0 is vulnerable to catastrophic backtracking in the difflib.IS_LINE_JUNK method. An attacker could use this flaw to cause denial of service.

References

http://www.securitytracker.com/id/1042001

https://access.redhat.com/errata/RHBA-2019:0327

https://access.redhat.com/errata/RHSA-2018:3041

https://access.redhat.com/errata/RHSA-2018:3505

https://access.redhat.com/errata/RHSA-2019:1260

https://bugs.python.org/issue32981

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-1061

https://docs.python.org/3.5/whatsnew/changelog.html#python-3-5-6-release-candidate-1

https://docs.python.org/3.6/whatsnew/changelog.html#python-3-6-5-release-candidate-1

https://lists.debian.org/debian-lts-announce/2018/09/msg00030.html

https://lists.debian.org/debian-lts-announce/2018/09/msg00031.html

https://lists.fedoraproject.org/archives/list/[email protected]/message/46PVWY5LFP4BRPG3BVQ5QEEFYBVEXHCK/

https://lists.fedoraproject.org/archives/list/[email protected]/message/AEZ5IQT7OF7Q2NCGIVABOWYGKO7YU3NJ/

https://lists.fedoraproject.org/archives/list/[email protected]/message/JSKPGPZQNTAULHW4UH63KGOOUIDE4RRB/

https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbst03951en_us

https://usn.ubuntu.com/3817-1/

https://usn.ubuntu.com/3817-2/

https://www.debian.org/security/2018/dsa-4306

https://www.debian.org/security/2018/dsa-4307

Details

Source: MITRE

Published: 2018-06-19

Updated: 2019-10-03

Risk Information

CVSS v2

Base Score: 5

Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P

Impact Score: 2.9

Exploitability Score: 10

Severity: MEDIUM

CVSS v3

Base Score: 7.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Impact Score: 3.6

Exploitability Score: 3.9

Severity: HIGH

Vulnerable Software

Configuration 1

OR

cpe:2.3:a:python:python:*:*:*:*:*:*:*:*

cpe:2.3:a:python:python:*:*:*:*:*:*:*:*

cpe:2.3:a:python:python:*:*:*:*:*:*:*:* versions from 3.5.0 to 3.5.5 (inclusive)

cpe:2.3:a:python:python:*:*:*:*:*:*:*:* versions from 3.6 to 3.6.4 (inclusive)

cpe:2.3:a:python:python:3.7.0:alpha1:*:*:*:*:*:*

cpe:2.3:a:python:python:3.7.0:alpha2:*:*:*:*:*:*

cpe:2.3:a:python:python:3.7.0:alpha3:*:*:*:*:*:*

cpe:2.3:a:python:python:3.7.0:alpha4:*:*:*:*:*:*

cpe:2.3:a:python:python:3.7.0:beta1:*:*:*:*:*:*

cpe:2.3:a:python:python:3.7.0:beta2:*:*:*:*:*:*

cpe:2.3:a:python:python:3.7.0:beta3:*:*:*:*:*:*

cpe:2.3:a:python:python:3.7.0:beta4:*:*:*:*:*:*

cpe:2.3:a:python:python:3.7.0:beta5:*:*:*:*:*:*

cpe:2.3:a:python:python:3.7.0:rc1:*:*:*:*:*:*

Configuration 2

OR

cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*

cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*

Configuration 3

OR

cpe:2.3:a:redhat:ansible_tower:3.3:*:*:*:*:*:*:*

cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*

cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*

cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*

Configuration 4

OR

cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:esm:*:*:*

cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*

cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*

cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*

Configuration 5

OR

cpe:2.3:o:fedoraproject:fedora:28:*:*:*:*:*:*:*

cpe:2.3:o:fedoraproject:fedora:29:*:*:*:*:*:*:*

cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*

Tenable Plugins

View all (41 total)

IDNameProductFamilySeverity
135247RHEL 7 : python (RHSA-2020:1346)NessusRed Hat Local Security Checks
critical
135089RHEL 7 : python (RHSA-2020:1268)NessusRed Hat Local Security Checks
critical
133259SUSE SLED15 / SLES15 Security Update : python (SUSE-SU-2020:0234-1) (BEAST) (httpoxy)NessusSuSE Local Security Checks
critical
133172openSUSE Security Update : python3 (openSUSE-2020-86) (BEAST) (httpoxy)NessusSuSE Local Security Checks
critical
133036SUSE SLED15 / SLES15 Security Update : python3 (SUSE-SU-2020:0114-1) (BEAST) (httpoxy)NessusSuSE Local Security Checks
critical
127255NewStart CGSL CORE 5.04 / MAIN 5.04 : python Multiple Vulnerabilities (NS-SA-2019-0061)NessusNewStart CGSL Local Security Checks
critical
126383Amazon Linux 2 : python (ALAS-2019-1230)NessusAmazon Linux Local Security Checks
critical
124937EulerOS Virtualization 3.0.1.0 : python (EulerOS-SA-2019-1434)NessusHuawei Local Security Checks
critical
124906EulerOS Virtualization for ARM 64 3.0.1.0 : python (EulerOS-SA-2019-1403)NessusHuawei Local Security Checks
critical
124623EulerOS 2.0 SP3 : python (EulerOS-SA-2019-1337)NessusHuawei Local Security Checks
critical
124492Fedora 30 : python35 (2019-51f1e08207)NessusFedora Local Security Checks
critical
123716EulerOS Virtualization 2.5.4 : python (EulerOS-SA-2019-1248)NessusHuawei Local Security Checks
high
123714EulerOS Virtualization 2.5.3 : python (EulerOS-SA-2019-1246)NessusHuawei Local Security Checks
high
123480Fedora 28 : python35 (2019-cf725dd20b)NessusFedora Local Security Checks
critical
123140Fedora 29 : python35 (2019-6e1938a3c5)NessusFedora Local Security Checks
critical
122695EulerOS 2.0 SP5 : python (EulerOS-SA-2019-1072)NessusHuawei Local Security Checks
high
122382EulerOS 2.0 SP2 : python (EulerOS-SA-2019-1055)NessusHuawei Local Security Checks
high
121985Photon OS 2.0: Python2 PHSA-2018-2.0-0086NessusPhotonOS Local Security Checks
high
121881Photon OS 1.0: Python3 PHSA-2018-1.0-0178NessusPhotonOS Local Security Checks
high
121880Photon OS 1.0: Python2 PHSA-2018-1.0-0178NessusPhotonOS Local Security Checks
high
119571SUSE SLED12 / SLES12 Security Update : python, python-base (SUSE-SU-2018:3554-2)NessusSuSE Local Security Checks
critical
119467Amazon Linux AMI : python27 (ALAS-2018-1108)NessusAmazon Linux Local Security Checks
high
119196Scientific Linux Security Update : python on SL7.x x86_64 (20181030)NessusScientific Linux Local Security Checks
high
118984CentOS 7 : python (CESA-2018:3041)NessusCentOS Local Security Checks
high
118954Ubuntu 14.04 LTS / 16.04 LTS / 18.04 LTS : Python vulnerabilities (USN-3817-1)NessusUbuntu Local Security Checks
critical
118869openSUSE Security Update : python / python-base (openSUSE-2018-1363)NessusSuSE Local Security Checks
critical
118763Oracle Linux 7 : python (ELSA-2018-3041)NessusOracle Linux Local Security Checks
high
118515RHEL 7 : python (RHSA-2018:3041)NessusRed Hat Local Security Checks
high
118501SUSE SLED12 / SLES12 Security Update : python, python-base (SUSE-SU-2018:3554-1)NessusSuSE Local Security Checks
critical
117838Debian DSA-4307-1 : python3.5 - security updateNessusDebian Local Security Checks
critical
117812Debian DSA-4306-1 : python2.7 - security updateNessusDebian Local Security Checks
critical
117713Debian DLA-1520-1 : python3.4 security updateNessusDebian Local Security Checks
critical
117712Debian DLA-1519-1 : python2.7 security updateNessusDebian Local Security Checks
critical
117516openSUSE Security Update : python3 (openSUSE-2018-1001)NessusSuSE Local Security Checks
high
117478SUSE SLED12 / SLES12 Security Update : python3 (SUSE-SU-2018:2696-1)NessusSuSE Local Security Checks
high
112224Photon OS 2.0: Docker / Python2 / Strongswan PHSA-2018-2.0-0086 (deprecated)NessusPhotonOS Local Security Checks
high
112221Photon OS 1.0: Postgresql / Python2 / Python3 / Strongswan PHSA-2018-1.0-0178 (deprecated)NessusPhotonOS Local Security Checks
high
112012SUSE SLES11 Security Update : python (SUSE-SU-2018:2408-1)NessusSuSE Local Security Checks
critical
109594FreeBSD : python 2.7 -- multiple vulnerabilities (8719b935-8bae-41ad-92ba-3c826f651219)NessusFreeBSD Local Security Checks
critical
109583Slackware 14.0 / 14.1 / 14.2 / current : python (SSA:2018-124-01)NessusSlackware Local Security Checks
critical
109368Amazon Linux AMI : python34 / python35,python36,python27 (ALAS-2018-1003)NessusAmazon Linux Local Security Checks
high