Vulnerability Details : CVE-2014-4616
Array index error in the scanstring function in the _json module in Python 2.7 through 3.5 and simplejson before 2.6.1 allows context-dependent attackers to read arbitrary process memory via a negative index value in the idx argument to the raw_decode function.
Products affected by CVE-2014-4616
- cpe:2.3:o:opensuse:opensuse:13.1:*:*:*:*:*:*:*
- cpe:2.3:a:python:python:*:*:*:*:*:*:*:*
- cpe:2.3:a:python:python:*:*:*:*:*:*:*:*
- cpe:2.3:a:python:python:*:*:*:*:*:*:*:*
- cpe:2.3:a:python:python:*:*:*:*:*:*:*:*
- cpe:2.3:o:opensuse_project:opensuse:12.3:*:*:*:*:*:*:*
- cpe:2.3:a:simplejson_project:simplejson:*:*:*:*:*:python:*:*
Threat overview for CVE-2014-4616
Top countries where our scanners detected CVE-2014-4616
Top open port discovered on systems with this issue
8123
IPs affected by CVE-2014-4616 139,032
Threat actors abusing to this issue?
Yes
Find out if you* are
affected by CVE-2014-4616!
*Directly or indirectly through your vendors, service providers and 3rd parties.
Powered by
attack surface intelligence
from SecurityScorecard.
Exploit prediction scoring system (EPSS) score for CVE-2014-4616
0.14%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 50 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2014-4616
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.3
|
MEDIUM | AV:N/AC:M/Au:N/C:P/I:N/A:N |
8.6
|
2.9
|
NIST | |
5.9
|
MEDIUM | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N |
2.2
|
3.6
|
NIST |
CWE ids for CVE-2014-4616
-
The product uses untrusted input when calculating or using an array index, but the product does not validate or incorrectly validates the index to ensure the index references a valid position within the array.Assigned by: nvd@nist.gov (Primary)
References for CVE-2014-4616
-
http://lists.opensuse.org/opensuse-updates/2014-07/msg00015.html
openSUSE-SU-2014:0890-1: moderate: python, python3: Fixed JSON moduleMailing List;Third Party Advisory
-
http://rhn.redhat.com/errata/RHSA-2015-1064.html
RHSA-2015:1064 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://security.gentoo.org/glsa/201503-10
Python: Multiple vulnerabilities (GLSA 201503-10) — Gentoo securityPatch;Third Party Advisory;VDB Entry
-
https://bugzilla.redhat.com/show_bug.cgi?id=1112285
1112285 – (CVE-2014-4616) CVE-2014-4616 python: missing boundary check in JSON moduleIssue Tracking;Patch;Third Party Advisory
-
http://bugs.python.org/issue21529
Issue 21529: JSON module: reading arbitrary process memory - Python trackerIssue Tracking;Vendor Advisory
-
http://openwall.com/lists/oss-security/2014/06/24/7
oss-security - Re: CVE request: python: _json module is vulnerable to arbitrary process memory readMailing List;Third Party Advisory
-
http://www.securityfocus.com/bid/68119
Python JSON Module '_json.c' Local Information Disclosure VulnerabilityThird Party Advisory;VDB Entry
-
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=752395
#752395 - python2.7: CVE-2014-4616: JSON module: reading arbitrary process memory - Debian Bug report logsIssue Tracking;Mailing List;Third Party Advisory
-
https://hackerone.com/reports/12297
#12297 Python vulnerability: reading arbitrary process memoryExploit;Patch;Third Party Advisory
Jump to