Vulnerability Details : CVE-2018-1000808
Python Cryptographic Authority pyopenssl version Before 17.5.0 contains a CWE - 401 : Failure to Release Memory Before Removing Last Reference vulnerability in PKCS #12 Store that can result in Denial of service if memory runs low or is exhausted. This attack appear to be exploitable via Depends upon calling application, however it could be as simple as initiating a TLS connection. Anything that would cause the calling application to reload certificates from a PKCS #12 store.. This vulnerability appears to have been fixed in 17.5.0.
Vulnerability category: Denial of service
Products affected by CVE-2018-1000808
- cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:openstack:13:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:gluster_storage:3.0:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*
- cpe:2.3:a:pyopenssl_project:pyopenssl:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2018-1000808
0.28%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 68 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2018-1000808
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.3
|
MEDIUM | AV:N/AC:M/Au:N/C:N/I:N/A:P |
8.6
|
2.9
|
NIST | |
5.9
|
MEDIUM | CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H |
2.2
|
3.6
|
NIST |
CWE ids for CVE-2018-1000808
-
The product does not release or incorrectly releases a resource before it is made available for re-use.Assigned by: nvd@nist.gov (Primary)
References for CVE-2018-1000808
-
http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00014.html
[security-announce] openSUSE-SU-2019:1104-1: important: Security update
-
https://github.com/pyca/pyopenssl/pull/723
fix a memory leak and a potential UAF and also #722 by reaperhulk · Pull Request #723 · pyca/pyopenssl · GitHubPatch;Third Party Advisory
-
https://access.redhat.com/errata/RHSA-2019:0085
RHSA-2019:0085 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://usn.ubuntu.com/3813-1/
USN-3813-1: pyOpenSSL vulnerabilities | Ubuntu security noticesThird Party Advisory
Jump to