Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2018-1000802

Опубликовано: 29 авг. 2018
Источник: redhat
CVSS3: 6.5
EPSS Средний

Описание

Python Software Foundation Python (CPython) version 2.7 contains a CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in shutil module (make_archive function) that can result in Denial of service, Information gain via injection of arbitrary files on the system or entire drive. This attack appear to be exploitable via Passage of unfiltered user input to the function. This vulnerability appears to have been fixed in after commit add531a1e55b0a739b0f42582f1c9747e5649ace.

It was discovered that the shutil module of python does not properly sanitize input when creating a zip file on Windows. An attacker could use this flaw to cause a denial of service or add unintended files to the generated archive.

Отчет

This issue did not affect the versions of python as shipped with Red Hat Enterprise Linux 5, 6 and 7 as Linux does not use the vulnerable code.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat Enterprise Linux 5pythonNot affected
Red Hat Enterprise Linux 6pythonNot affected
Red Hat Enterprise Linux 7pythonNot affected
Red Hat Software Collectionspython27-pythonNot affected
Red Hat Software Collectionsrh-python35-pythonNot affected
Red Hat Software Collectionsrh-python36-pythonNot affected

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate
Дефект:
CWE-77
https://bugzilla.redhat.com/show_bug.cgi?id=1631420python: Command injection in the shutil module

EPSS

Процентиль: 96%
0.2441
Средний

6.5 Medium

CVSS3

Связанные уязвимости

ubuntu логотип

CVE-2018-1000802

CVSS3: 9.8
ubuntu
почти 7 лет назад

Python Software Foundation Python (CPython) version 2.7 contains a CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in shutil module (make_archive function) that can result in Denial of service, Information gain via injection of arbitrary files on the system or entire drive. This attack appear to be exploitable via Passage of unfiltered user input to the function. This vulnerability appears to have been fixed in after commit add531a1e55b0a739b0f42582f1c9747e5649ace.

nvd логотип

CVE-2018-1000802

CVSS3: 9.8
nvd
почти 7 лет назад

Python Software Foundation Python (CPython) version 2.7 contains a CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in shutil module (make_archive function) that can result in Denial of service, Information gain via injection of arbitrary files on the system or entire drive. This attack appear to be exploitable via Passage of unfiltered user input to the function. This vulnerability appears to have been fixed in after commit add531a1e55b0a739b0f42582f1c9747e5649ace.

debian логотип

CVE-2018-1000802

CVSS3: 9.8
debian
почти 7 лет назад

Python Software Foundation Python (CPython) version 2.7 contains a CWE ...

suse-cvrf логотип

openSUSE-SU-2018:3052-1

suse-cvrf
больше 6 лет назад

Security update for python

suse-cvrf логотип

SUSE-SU-2018:3002-1

suse-cvrf
больше 6 лет назад

Security update for python

EPSS

Процентиль: 96%
0.2441
Средний

6.5 Medium

CVSS3