CVE-2012-2135 : The utf-16 decoder in Python 3.1 through 3.3 does not update the aligned_end variable after calling the unicode_decode

The utf-16 decoder in Python 3.1 through 3.3 does not update the aligned_end variable after calling the unicode_decode_call_errorhandler function, which allows remote attackers to obtain sensitive information (process memory) or cause a denial of service (memory corruption and crash) via unspecified vectors.

Published 2012-08-14 22:55:01

Updated 2023-01-19 15:53:44

Source Red Hat, Inc.

View at NVD, CVE.org

Vulnerability category: Memory CorruptionDenial of service

Threat overview for CVE-2012-2135

Top countries where our scanners detected CVE-2012-2135

Top open port discovered on systems with this issue 80

IPs affected by CVE-2012-2135 15,223

Threat actors abusing to this issue? Yes

Find out if you^* are affected by CVE-2012-2135!

^*Directly or indirectly through your vendors, service providers and 3rd parties. Powered by attack surface intelligence from SecurityScorecard.

Exploit prediction scoring system (EPSS) score for CVE-2012-2135

Probability of exploitation activity in the next 30 days: 3.28%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 90 % EPSS Score History EPSS FAQ

CVSS scores for CVE-2012-2135

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
6.4	MEDIUM	AV:N/AC:L/Au:N/C:P/I:N/A:P	10.0	4.9	NIST
Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: Partial Integrity Impact: None Availability Impact: Partial

References for CVE-2012-2135

http://bugs.python.org/issue14579

Issue 14579: CVE-2012-2135: Vulnerability in the utf-16 decoder after error handling - Python tracker
Vendor Advisory
http://www.openwall.com/lists/oss-security/2012/04/25/2

oss-security - CVE Request: Python 3.2/3.3 utf-16 decoder unicode_decode_call_errorhandler aligned_end is not updated
Mailing List;Third Party Advisory
http://www.ubuntu.com/usn/USN-1615-1

USN-1615-1: Python 3.2 vulnerabilities | Ubuntu security notices
Third Party Advisory

CVEs referencing this url
http://www.openwall.com/lists/oss-security/2012/04/25/4

oss-security - Re: CVE Request: Python 3.2/3.3 utf-16 decoder unicode_decode_call_errorhandler aligned_end is not updated
Mailing List;Third Party Advisory
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=670389

#670389 - python3: CVE-2012-2135 utf-16 decoder unicode_decode_call_errorhandler aligned_end is not updated - Debian Bug report logs
Third Party Advisory
http://www.ubuntu.com/usn/USN-1616-1

USN-1616-1: Python 3.1 vulnerabilities | Ubuntu security notices
Third Party Advisory

CVEs referencing this url

Products affected by CVE-2012-2135

Debian » Debian Linux » Version: 6.0
cpe:2.3:o:debian:debian_linux:6.0:*:*:*:*:*:*:*
Matching versions
Canonical » Ubuntu Linux » Version: 12.04
cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:-:*:*:*
Matching versions
Canonical » Ubuntu Linux » Version: 12.10
cpe:2.3:o:canonical:ubuntu_linux:12.10:*:*:*:*:*:*:*
Matching versions
Canonical » Ubuntu Linux » Version: 10.04
cpe:2.3:o:canonical:ubuntu_linux:10.04:*:*:*:-:*:*:*
Matching versions
Canonical » Ubuntu Linux » Version: 11.04
cpe:2.3:o:canonical:ubuntu_linux:11.04:*:*:*:*:*:*:*
Matching versions
Canonical » Ubuntu Linux » Version: 11.10
cpe:2.3:o:canonical:ubuntu_linux:11.10:*:*:*:*:*:*:*
Matching versions
Python » Python
Versions from including (>=) 2.7.0 and before (<) 2.7.4
cpe:2.3:a:python:python:*:*:*:*:*:*:*:*
Matching versions
Python » Python
Versions from including (>=) 3.2.0 and before (<) 3.2.4
cpe:2.3:a:python:python:*:*:*:*:*:*:*:*
Matching versions
Python » Python
Versions from including (>=) 3.3.0 and before (<) 3.3.3
cpe:2.3:a:python:python:*:*:*:*:*:*:*:*
Matching versions

Vulnerability Details : CVE-2012-2135

Threat overview for CVE-2012-2135

Exploit prediction scoring system (EPSS) score for CVE-2012-2135

CVSS scores for CVE-2012-2135

References for CVE-2012-2135

Products affected by CVE-2012-2135