Vulnerability Details : CVE-2018-1000808

Python Cryptographic Authority pyopenssl version Before 17.5.0 contains a CWE - 401 : Failure to Release Memory Before Removing Last Reference vulnerability in PKCS #12 Store that can result in Denial of service if memory runs low or is exhausted. This attack appear to be exploitable via Depends upon calling application, however it could be as simple as initiating a TLS connection. Anything that would cause the calling application to reload certificates from a PKCS #12 store.. This vulnerability appears to have been fixed in 17.5.0.

Vulnerability category: Denial of service

Published 2018-10-08 15:29:01

Updated 2021-08-04 17:14:47

Source MITRE

View at NVD, CVE.org

Exploit prediction scoring system (EPSS) score for CVE-2018-1000808

Probability of exploitation activity in the next 30 days: 0.32%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 67 % EPSS Score History EPSS FAQ

CVSS scores for CVE-2018-1000808

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Source
4.3	MEDIUM	AV:N/AC:M/Au:N/C:N/I:N/A:P	8.6	2.9	[email protected]
Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: None Integrity Impact: None Availability Impact: Partial
5.9	MEDIUM	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H	2.2	3.6	[email protected]
Attack Vector: Network Attack Complexity: High Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: None Integrity: None Availability: High

CWE ids for CVE-2018-1000808

CWE-404 Improper Resource Shutdown or Release

The product does not release or incorrectly releases a resource before it is made available for re-use.

Assigned by: [email protected] (Primary)

References for CVE-2018-1000808

http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00014.html

CVEs referencing this url
https://github.com/pyca/pyopenssl/pull/723

Patch;Third Party Advisory

CVEs referencing this url
https://access.redhat.com/errata/RHSA-2019:0085

Third Party Advisory

CVEs referencing this url
https://usn.ubuntu.com/3813-1/

Third Party Advisory

CVEs referencing this url

Products affected by CVE-2018-1000808

Redhat » Enterprise Linux Desktop » Version: 7.0
cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Server » Version: 7.0
cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux Workstation » Version: 7.0
cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*
Matching versions
Redhat » Openstack » Version: 13
cpe:2.3:a:redhat:openstack:13:*:*:*:*:*:*:*
Matching versions
Redhat » Gluster Storage » Version: 3.0
cpe:2.3:a:redhat:gluster_storage:3.0:*:*:*:*:*:*:*
Matching versions
Canonical » Ubuntu Linux » Version: 16.04 LTS Edition
cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*
Matching versions
Pyopenssl Project » Pyopenssl
Versions before (<) 17.5.0
cpe:2.3:a:pyopenssl_project:pyopenssl:*:*:*:*:*:*:*:*
Matching versions