CVE-2018-14647

Python's elementtree C accelerator failed to initialise Expat's hash salt during initialization. This could make it easy to conduct denial of service attacks against Expat by constructing an XML document that would cause pathological hash collisions in Expat's internal data structures, consuming large amounts CPU and RAM. The vulnerability exists in Python versions 3.7.0, 3.6.0 through 3.6.6, 3.5.0 through 3.5.6, 3.4.0 through 3.4.9, 2.7.0 through 2.7.15.

Published: Sep 25, 2018
Updated: Apr 13, 2023
CVE: CVE-2018-14647
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 7.5
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS v2:

Severity: Medium
Score: 5
AV:N/AC:L/Au:N/C:N/I:N/A:P

CWEs:

CWE-909

Affected Software
References

Software	From	Fixed in
python / python	3.5.0	3.5.6.x
python / python	2.7.0	2.7.15.x
python / python	3.7.0	3.7.0.x
python / python	3.4.0	3.4.9.x
python / python	3.6.0	3.6.6.x
canonical / ubuntu_linux	16.04	16.04.x
canonical / ubuntu_linux	12.04	12.04.x
canonical / ubuntu_linux	18.04	18.04.x
canonical / ubuntu_linux	14.04	14.04.x
debian / debian_linux	8.0	8.0.x
debian / debian_linux	9.0	9.0.x
fedoraproject / fedora	30	30.x
opensuse / leap	15.1	15.1.x
redhat / enterprise_linux_desktop	7.0	7.0.x
redhat / enterprise_linux_workstation	7.0	7.0.x
redhat / enterprise_linux_server	7.0	7.0.x

Vulnerability Database

289,599

CVE-2018-14647