CVE-2018-1061

Published: Jun 19, 2018Modified: Nov 21, 2024

7.5

Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Exploitability: 3.9 / Impact: 3.6

Source: NVD

Description

python before versions 2.7.15, 3.4.9, 3.5.6rc1, 3.6.5rc1 and 3.7.0 is vulnerable to catastrophic backtracking in the difflib.IS_LINE_JUNK method. An attacker could use this flaw to cause denial of service.

Affected (27)

Products: Python: Python · Debian: Debian Linux · Redhat: Ansible Tower, Enterprise Linux Desktop, Enterprise Linux Server, Enterprise Linux Workstation · +2 more

Show all products

Python: Python · Debian: Debian Linux · Redhat: Ansible Tower, Enterprise Linux Desktop, Enterprise Linux Server, Enterprise Linux Workstation · Canonical: Ubuntu Linux · Fedoraproject: Fedora

1 product

1 product

4 products

Enterprise Linux Desktop

Enterprise Linux Server

Enterprise Linux Workstation

1 product

1 product

Configuration A

14 vulnerable

Vulnerable Software	Affected Versions
Python Python	Before 2.7.15
Python Python	From 3.0 to 3.4.9
Python Python	From 3.5.0 to 3.5.5
Python Python	From 3.6 to 3.6.4
Python Python	Version 3.7.0 alpha1
Python Python	Version 3.7.0 alpha2
Python Python	Version 3.7.0 alpha3
Python Python	Version 3.7.0 alpha4
Python Python	Version 3.7.0 beta1
Python Python	Version 3.7.0 beta2
Python Python	Version 3.7.0 beta3
Python Python	Version 3.7.0 beta4
Python Python	Version 3.7.0 beta5
Python Python	Version 3.7.0 rc1

Configuration B

2 vulnerable

Vulnerable Software	Affected Versions
Debian Debian Linux	Version 8.0
Debian Debian Linux	Version 9.0

Configuration C

4 vulnerable

Vulnerable Software	Affected Versions
Redhat Ansible Tower	Version 3.3
Redhat Enterprise Linux Desktop	Version 7.0
Redhat Enterprise Linux Server	Version 7.0
Redhat Enterprise Linux Workstation	Version 7.0

Configuration D

4 vulnerable

Vulnerable Software	Affected Versions
Canonical Ubuntu Linux	Version 12.04
Canonical Ubuntu Linux	Version 14.04
Canonical Ubuntu Linux	Version 16.04
Canonical Ubuntu Linux	Version 18.04

Configuration E

3 vulnerable

Vulnerable Software	Affected Versions
Fedoraproject Fedora	Version 28
Fedoraproject Fedora	Version 29
Fedoraproject Fedora	Version 30

Related CWEs

CWE-20

Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

References (42)

http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00040.html

Source: secalert@redhat.com

http://www.securitytracker.com/id/1042001

Source: secalert@redhat.com

Third Party AdvisoryVDB Entry

https://access.redhat.com/errata/RHBA-2019:0327

Source: secalert@redhat.com

Third Party Advisory

https://access.redhat.com/errata/RHSA-2018:3041

Source: secalert@redhat.com

Third Party Advisory

https://access.redhat.com/errata/RHSA-2018:3505

Source: secalert@redhat.com

Third Party Advisory

https://access.redhat.com/errata/RHSA-2019:1260

Source: secalert@redhat.com

https://access.redhat.com/errata/RHSA-2019:3725

Source: secalert@redhat.com

https://bugs.python.org/issue32981

Source: secalert@redhat.com

Vendor Advisory

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-1061

Source: secalert@redhat.com

Issue Tracking

https://docs.python.org/3.5/whatsnew/changelog.html#python-3-5-6-release-candidate-1

Source: secalert@redhat.com

Vendor Advisory

https://docs.python.org/3.6/whatsnew/changelog.html#python-3-6-5-release-candidate-1

Source: secalert@redhat.com

Vendor Advisory

https://lists.debian.org/debian-lts-announce/2018/09/msg00030.html

Source: secalert@redhat.com

Mailing ListThird Party Advisory

https://lists.debian.org/debian-lts-announce/2018/09/msg00031.html

Source: secalert@redhat.com

Mailing ListThird Party Advisory

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/46PVWY5LFP4BRPG3BVQ5QEEFYBVEXHCK/

Source: secalert@redhat.com

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AEZ5IQT7OF7Q2NCGIVABOWYGKO7YU3NJ/

Source: secalert@redhat.com

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JSKPGPZQNTAULHW4UH63KGOOUIDE4RRB/

Source: secalert@redhat.com

https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbst03951en_us

Source: secalert@redhat.com

https://usn.ubuntu.com/3817-1/

Source: secalert@redhat.com

Third Party Advisory

https://usn.ubuntu.com/3817-2/

Source: secalert@redhat.com

Third Party Advisory

https://www.debian.org/security/2018/dsa-4306

Source: secalert@redhat.com

Third Party Advisory

https://www.debian.org/security/2018/dsa-4307

Source: secalert@redhat.com

Third Party Advisory

http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00040.html