CVE-2018-1060

Published: Jun 18, 2018Modified: Nov 21, 2024

7.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Exploitability: 3.9 / Impact: 3.6

Source: NVD

Description

python before versions 2.7.15, 3.4.9, 3.5.6rc1, 3.6.5rc1 and 3.7.0 is vulnerable to catastrophic backtracking in pop3lib's apop() method. An attacker could use this flaw to cause denial of service.

Affected (17)

Products: Python: Python · Fedoraproject: Fedora · Canonical: Ubuntu Linux · +2 more

Show all products

Python: Python · Fedoraproject: Fedora · Canonical: Ubuntu Linux · Redhat: Ansible Tower, Enterprise Linux Desktop, Enterprise Linux Server, Enterprise Linux Workstation · Debian: Debian Linux

1 product

1 product

1 product

4 products

Enterprise Linux Desktop

Enterprise Linux Server

Enterprise Linux Workstation

Debian

1 product

Debian Linux

Configuration A

4 vulnerable

Vulnerable Software	Affected Versions
Python Python	After 3.6.0 to 3.6.5
Python Python	From 2.7.0 to 2.7.15
Python Python	From 3.0.0 to 3.4.9
Python Python	From 3.5.0 to 3.5.6

Configuration B

3 vulnerable

Vulnerable Software	Affected Versions
Fedoraproject Fedora	Version 28
Fedoraproject Fedora	Version 29
Fedoraproject Fedora	Version 30

Configuration C

4 vulnerable

Vulnerable Software	Affected Versions
Canonical Ubuntu Linux	Version 12.04
Canonical Ubuntu Linux	Version 14.04
Canonical Ubuntu Linux	Version 16.04
Canonical Ubuntu Linux	Version 18.04

Configuration D

4 vulnerable

Vulnerable Software	Affected Versions
Redhat Ansible Tower	Version 3.3
Redhat Enterprise Linux Desktop	Version 7.0
Redhat Enterprise Linux Server	Version 7.0
Redhat Enterprise Linux Workstation	Version 7.0

Configuration E

2 vulnerable

Vulnerable Software	Affected Versions
Debian Debian Linux	Version 8.0
Debian Debian Linux	Version 9.0

Related CWEs

CWE-20

Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

References (44)

http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00040.html

Source: secalert@redhat.com

Mailing ListThird Party Advisory

http://www.securitytracker.com/id/1042001

Source: secalert@redhat.com

Third Party AdvisoryVDB Entry

https://access.redhat.com/errata/RHBA-2019:0327

Source: secalert@redhat.com

Third Party Advisory

https://access.redhat.com/errata/RHSA-2018:3041

Source: secalert@redhat.com

Third Party Advisory

https://access.redhat.com/errata/RHSA-2018:3505

Source: secalert@redhat.com

Third Party Advisory

https://access.redhat.com/errata/RHSA-2019:1260

Source: secalert@redhat.com

Third Party Advisory

https://access.redhat.com/errata/RHSA-2019:3725

Source: secalert@redhat.com

Third Party Advisory

https://bugs.python.org/issue32981

Source: secalert@redhat.com

ExploitIssue TrackingVendor Advisory

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-1060

Source: secalert@redhat.com

Issue TrackingThird Party Advisory

https://docs.python.org/3.5/whatsnew/changelog.html#python-3-5-6-release-candidate-1

Source: secalert@redhat.com

ProductVendor Advisory

https://docs.python.org/3.6/whatsnew/changelog.html#python-3-6-5-release-candidate-1

Source: secalert@redhat.com

ProductVendor Advisory

https://lists.debian.org/debian-lts-announce/2018/09/msg00030.html

Source: secalert@redhat.com

Mailing ListThird Party Advisory

https://lists.debian.org/debian-lts-announce/2018/09/msg00031.html

Source: secalert@redhat.com

Mailing ListThird Party Advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/46PVWY5LFP4BRPG3BVQ5QEEFYBVEXHCK/

Source: secalert@redhat.com

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AEZ5IQT7OF7Q2NCGIVABOWYGKO7YU3NJ/

Source: secalert@redhat.com

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JSKPGPZQNTAULHW4UH63KGOOUIDE4RRB/

Source: secalert@redhat.com

https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbst03951en_us

Source: secalert@redhat.com

Third Party Advisory

https://usn.ubuntu.com/3817-1/

Source: secalert@redhat.com

Third Party Advisory

https://usn.ubuntu.com/3817-2/

Source: secalert@redhat.com

Third Party Advisory

https://www.debian.org/security/2018/dsa-4306

Source: secalert@redhat.com

Third Party Advisory

https://www.debian.org/security/2018/dsa-4307

Source: secalert@redhat.com

Third Party Advisory

https://www.oracle.com/security-alerts/cpujan2020.html

Source: secalert@redhat.com

Third Party Advisory

http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00040.html