Vulnerability Details : CVE-2013-7040
Python 2.7 before 3.4 only uses the last eight bits of the prefix to randomize hash values, which causes it to compute hash values without restricting the ability to trigger hash collisions predictably and makes it easier for context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-1150.
Vulnerability category: Denial of service
Products affected by CVE-2013-7040
- cpe:2.3:o:apple:mac_os_x:*:*:*:*:*:*:*:*
- cpe:2.3:a:python:python:3.1:*:*:*:*:*:*:*
- cpe:2.3:a:python:python:3.2:*:*:*:*:*:*:*
- cpe:2.3:a:python:python:3.2:alpha:*:*:*:*:*:*
- cpe:2.3:a:python:python:3.0:*:*:*:*:*:*:*
- cpe:2.3:a:python:python:2.7.1:*:*:*:*:*:*:*
- cpe:2.3:a:python:python:3.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:python:python:3.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:python:python:3.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:python:python:3.1.3:*:*:*:*:*:*:*
- cpe:2.3:a:python:python:2.7.2:rc1:*:*:*:*:*:*
- cpe:2.3:a:python:python:2.7.1:rc1:*:*:*:*:*:*
- cpe:2.3:a:python:python:2.7.2150:*:*:*:*:*:*:*
- cpe:2.3:a:python:python:3.1.4:*:*:*:*:*:*:*
- cpe:2.3:a:python:python:2.7.1150:*:*:*:*:*:*:*
- cpe:2.3:a:python:python:2.7.3:*:*:*:*:*:*:*
- cpe:2.3:a:python:python:3.1.5:*:*:*:*:*:*:*
- cpe:2.3:a:python:python:3.2.2150:*:*:*:*:*:*:*
- cpe:2.3:a:python:python:3.2.3:*:*:*:*:*:*:*
- cpe:2.3:a:python:python:3.3:*:*:*:*:*:*:*
- cpe:2.3:a:python:python:3.3:beta2:*:*:*:*:*:*
- cpe:2.3:a:python:python:3.3.2:*:*:*:*:*:*:*
- cpe:2.3:a:python:python:3.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:python:python:3.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:python:python:3.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:python:python:3.2.4:*:*:*:*:*:*:*
- cpe:2.3:a:python:python:3.2.5:*:*:*:*:*:*:*
- cpe:2.3:a:python:python:3.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:python:python:3.2.2:*:*:*:*:*:*:*
- cpe:2.3:a:python:python:3.3.3:*:*:*:*:*:*:*
- cpe:2.3:a:python:python:3.3.3:rc1:*:*:*:*:*:*
- cpe:2.3:a:python:python:2.7.5:*:*:*:*:*:*:*
- cpe:2.3:a:python:python:2.7.6:*:*:*:*:*:*:*
- cpe:2.3:a:python:python:3.3.3:rc2:*:*:*:*:*:*
- cpe:2.3:a:python:python:3.3.4:*:*:*:*:*:*:*
- cpe:2.3:a:python:python:2.7.7:*:*:*:*:*:*:*
- cpe:2.3:a:python:python:3.3.4:rc1:*:*:*:*:*:*
- cpe:2.3:a:python:python:3.3.5:-:*:*:*:*:*:*
- cpe:2.3:a:python:python:3.3.1:rc1:*:*:*:*:*:*
- cpe:2.3:a:python:python:3.3.5:rc1:*:*:*:*:*:*
- cpe:2.3:a:python:python:3.3.5:rc2:*:*:*:*:*:*
- cpe:2.3:a:python:python:2.7.4:*:*:*:*:*:*:*
Threat overview for CVE-2013-7040
Top countries where our scanners detected CVE-2013-7040
Top open port discovered on systems with this issue
8123
IPs affected by CVE-2013-7040 127,203
Threat actors abusing to this issue?
Yes
Find out if you* are
affected by CVE-2013-7040!
*Directly or indirectly through your vendors, service providers and 3rd parties.
Powered by
attack surface intelligence
from SecurityScorecard.
Exploit prediction scoring system (EPSS) score for CVE-2013-7040
0.37%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 72 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2013-7040
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.3
|
MEDIUM | AV:N/AC:M/Au:N/C:N/I:N/A:P |
8.6
|
2.9
|
NIST |
CWE ids for CVE-2013-7040
-
Assigned by: nvd@nist.gov (Primary)
References for CVE-2013-7040
-
http://www.openwall.com/lists/oss-security/2013/12/09/13
oss-security - Re: CPython hash secret can be recoved remotely
-
http://www.openwall.com/lists/oss-security/2013/12/09/3
oss-security - CPython hash secret can be recoved remotely
-
http://bugs.python.org/issue14621
Issue 14621: Hash function is not randomized properly - Python tracker
-
https://support.apple.com/kb/HT205031
About the security content of OS X Yosemite v10.10.5 and Security Update 2015-006 - Apple SupportVendor Advisory
-
http://www.securityfocus.com/bid/64194
Python CVE-2013-7040 Information Disclosure Weakness
-
http://lists.apple.com/archives/security-announce/2015/Aug/msg00001.html
Apple - Lists.apple.com
Jump to