CVE-2018-14647

Public on 2018-11-05
Modified on 2019-01-12
Description
Python's elementtree C accelerator failed to initialise Expat's hash salt during initialization. This could make it easy to conduct denial of service attacks against Expat by contructing an XML document that would cause pathological hash collisions in Expat's internal data structures, consuming large amounts CPU and RAM.
Severity
Medium
CVSS v3 Base Score
5.3
See breakdown

Affected Packages

Platform Package Release Date Advisory
Amazon Linux 2 python3 2018-12-17 19:14 ALAS2-2018-1132
Amazon Linux 1 python34 2018-12-20 00:01 ALAS-2018-1132
Amazon Linux 1 python36 2018-12-20 00:01 ALAS-2018-1132
Amazon Linux 1 python35 2018-11-05 21:47 ALAS-2018-1101

CVSS Scores

Score Type Score Vector
Amazon Linux CVSSv3 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
NVD CVSSv2 5.0 AV:N/AC:L/Au:N/C:N/I:N/A:P
NVD CVSSv3 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H