Vulnerability Details : CVE-2014-1912
Buffer overflow in the socket.recvfrom_into function in Modules/socketmodule.c in Python 2.5 before 2.7.7, 3.x before 3.3.4, and 3.4.x before 3.4rc1 allows remote attackers to execute arbitrary code via a crafted string.
Vulnerability category: OverflowExecute code
Products affected by CVE-2014-1912
- cpe:2.3:o:apple:mac_os_x:*:*:*:*:*:*:*:*
- cpe:2.3:a:python:python:2.5.1:*:*:*:*:*:*:*
- cpe:2.3:a:python:python:3.1:*:*:*:*:*:*:*
- cpe:2.3:a:python:python:3.2:*:*:*:*:*:*:*
- cpe:2.3:a:python:python:3.2:alpha:*:*:*:*:*:*
- cpe:2.3:a:python:python:3.0:*:*:*:*:*:*:*
- cpe:2.3:a:python:python:2.5.2:*:*:*:*:*:*:*
- cpe:2.3:a:python:python:2.5.4:*:*:*:*:*:*:*
- cpe:2.3:a:python:python:2.6.7:*:*:*:*:*:*:*
- cpe:2.3:a:python:python:2.6.6:*:*:*:*:*:*:*
- cpe:2.3:a:python:python:2.6.5:*:*:*:*:*:*:*
- cpe:2.3:a:python:python:2.5.3:*:*:*:*:*:*:*
- cpe:2.3:a:python:python:2.6.1:*:*:*:*:*:*:*
- cpe:2.3:a:python:python:2.6.4:*:*:*:*:*:*:*
- cpe:2.3:a:python:python:2.7.1:*:*:*:*:*:*:*
- cpe:2.3:a:python:python:3.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:python:python:3.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:python:python:3.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:python:python:3.1.3:*:*:*:*:*:*:*
- cpe:2.3:a:python:python:2.6.3:*:*:*:*:*:*:*
- cpe:2.3:a:python:python:2.6.2:*:*:*:*:*:*:*
- cpe:2.3:a:python:python:2.7.2:rc1:*:*:*:*:*:*
- cpe:2.3:a:python:python:2.7.1:rc1:*:*:*:*:*:*
- cpe:2.3:a:python:python:2.6.2150:*:*:*:*:*:*:*
- cpe:2.3:a:python:python:2.7.2150:*:*:*:*:*:*:*
- cpe:2.3:a:python:python:2.6.8:*:*:*:*:*:*:*
- cpe:2.3:a:python:python:2.7.1150:*:*:*:*:*:x64:*
- cpe:2.3:a:python:python:3.1.4:*:*:*:*:*:*:*
- cpe:2.3:a:python:python:2.6.6150:*:*:*:*:*:*:*
- cpe:2.3:a:python:python:2.7.1150:*:*:*:*:*:*:*
- cpe:2.3:a:python:python:3.1.2150:*:*:*:*:*:x64:*
- cpe:2.3:a:python:python:2.7.3:*:*:*:*:*:*:*
- cpe:2.3:a:python:python:3.1.5:*:*:*:*:*:*:*
- cpe:2.3:a:python:python:2.5.6:*:*:*:*:*:*:*
- cpe:2.3:a:python:python:2.5.150:*:*:*:*:*:*:*
- cpe:2.3:a:python:python:3.2.2150:*:*:*:*:*:*:*
- cpe:2.3:a:python:python:3.2.3:*:*:*:*:*:*:*
- cpe:2.3:a:python:python:3.3:*:*:*:*:*:*:*
- cpe:2.3:a:python:python:3.3:beta2:*:*:*:*:*:*
- cpe:2.3:a:python:python:3.3.2:*:*:*:*:*:*:*
- cpe:2.3:a:python:python:3.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:python:python:3.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:python:python:3.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:python:python:3.2.4:*:*:*:*:*:*:*
- cpe:2.3:a:python:python:3.2.5:*:*:*:*:*:*:*
- cpe:2.3:a:python:python:3.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:python:python:3.2.2:*:*:*:*:*:*:*
- cpe:2.3:a:python:python:3.4:alpha1:*:*:*:*:*:*
- cpe:2.3:a:python:python:3.3.3:*:*:*:*:*:*:*
- cpe:2.3:a:python:python:2.7.5:*:*:*:*:*:*:*
- cpe:2.3:a:python:python:2.7.6:*:*:*:*:*:*:*
- cpe:2.3:a:python:python:2.7.4:*:*:*:*:*:*:*
Threat overview for CVE-2014-1912
Top countries where our scanners detected CVE-2014-1912
Top open port discovered on systems with this issue
8123
IPs affected by CVE-2014-1912 128,539
Threat actors abusing to this issue?
Yes
Find out if you* are
affected by CVE-2014-1912!
*Directly or indirectly through your vendors, service providers and 3rd parties.
Powered by
attack surface intelligence
from SecurityScorecard.
Exploit prediction scoring system (EPSS) score for CVE-2014-1912
38.99%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 97 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2014-1912
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.5
|
HIGH | AV:N/AC:L/Au:N/C:P/I:P/A:P |
10.0
|
6.4
|
NIST |
CWE ids for CVE-2014-1912
-
The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.Assigned by: nvd@nist.gov (Primary)
References for CVE-2014-1912
-
http://rhn.redhat.com/errata/RHSA-2015-1064.html
RHSA-2015:1064 - Security Advisory - Red Hat Customer Portal
-
http://lists.opensuse.org/opensuse-updates/2014-05/msg00008.html
openSUSE-SU-2014:0597-1: moderate: update for python3
-
http://www.securitytracker.com/id/1029831
Python Buffer Overflow in socket.recvfrom_into() Lets Remote Users Execute Arbitrary Code - SecurityTracker
-
https://security.gentoo.org/glsa/201503-10
Python: Multiple vulnerabilities (GLSA 201503-10) — Gentoo security
-
http://www.debian.org/security/2014/dsa-2880
Debian -- Security Information -- DSA-2880-1 python2.7
-
http://hg.python.org/cpython/rev/87673659d8f7
cpython: 87673659d8f7
-
https://support.apple.com/kb/HT205031
About the security content of OS X Yosemite v10.10.5 and Security Update 2015-006 - Apple SupportVendor Advisory
-
http://pastebin.com/raw.php?i=GHXSmNEg
Exploit
-
http://www.oracle.com/technetwork/topics/security/linuxbulletinjan2016-2867209.html
Oracle Linux Bulletin - January 2016
-
https://www.trustedsec.com/february-2014/python-remote-code-execution-socket-recvfrom_into/
Python Remote Code Execution in socket.recvfrom_into()Exploit
-
http://rhn.redhat.com/errata/RHSA-2015-1330.html
RHSA-2015:1330 - Security Advisory - Red Hat Customer Portal
-
http://www.ubuntu.com/usn/USN-2125-1
USN-2125-1: Python vulnerability | Ubuntu security notices
-
http://www.openwall.com/lists/oss-security/2014/02/12/16
oss-security - Re: CVE request? buffer overflow in socket.recvfrom_into
-
http://www.exploit-db.com/exploits/31875
Python - 'socket.recvfrom_into()' Remote Buffer Overflow - Linux remote ExploitExploit
-
http://lists.apple.com/archives/security-announce/2015/Aug/msg00001.html
Apple - Lists.apple.com
-
http://bugs.python.org/issue20246
Issue 20246: buffer overflow in socket.recvfrom_into - Python trackerPatch
-
http://www.securityfocus.com/bid/65379
Python 'sock_recvfrom_into()' Function Buffer Overflow Vulnerability
-
http://lists.opensuse.org/opensuse-updates/2014-04/msg00035.html
openSUSE-SU-2014:0518-1: moderate: update for python
-
http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html
Oracle Critical Patch Update - July 2017
Jump to