Vulnerability Details : CVE-2018-1060
Potential exploit
python before versions 2.7.15, 3.4.9, 3.5.6rc1, 3.6.5rc1 and 3.7.0 is vulnerable to catastrophic backtracking in pop3lib's apop() method. An attacker could use this flaw to cause denial of service.
Vulnerability category: Input validationDenial of service
Products affected by CVE-2018-1060
- cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:ansible_tower:3.3:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:esm:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
- cpe:2.3:o:fedoraproject:fedora:28:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:29:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*
- cpe:2.3:a:python:python:*:*:*:*:*:*:*:*
- cpe:2.3:a:python:python:*:*:*:*:*:*:*:*
- cpe:2.3:a:python:python:*:*:*:*:*:*:*:*
- cpe:2.3:a:python:python:*:*:*:*:*:*:*:*
Threat overview for CVE-2018-1060
Top countries where our scanners detected CVE-2018-1060
Top open port discovered on systems with this issue
80
IPs affected by CVE-2018-1060 206,816
Threat actors abusing to this issue?
Yes
Find out if you* are
affected by CVE-2018-1060!
*Directly or indirectly through your vendors, service providers and 3rd parties.
Powered by
attack surface intelligence
from SecurityScorecard.
Exploit prediction scoring system (EPSS) score for CVE-2018-1060
0.50%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 76 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2018-1060
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:N/I:N/A:P |
10.0
|
2.9
|
NIST | |
4.3
|
MEDIUM | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L |
2.8
|
1.4
|
Red Hat, Inc. | |
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
3.9
|
3.6
|
NIST |
CWE ids for CVE-2018-1060
-
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.Assigned by: secalert@redhat.com (Secondary)
References for CVE-2018-1060
-
https://access.redhat.com/errata/RHSA-2019:3725
RHSA-2019:3725 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://www.oracle.com/security-alerts/cpujan2020.html
Oracle Critical Patch Update Advisory - January 2020Third Party Advisory
-
https://usn.ubuntu.com/3817-2/
USN-3817-2: Python vulnerabilities | Ubuntu security noticesThird Party Advisory
-
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-1060
1549191 – (CVE-2018-1060) CVE-2018-1060 python: DOS via regular expression catastrophic backtracking in apop() method in pop3libIssue Tracking;Third Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AEZ5IQT7OF7Q2NCGIVABOWYGKO7YU3NJ/
[SECURITY] Fedora 28 Update: python35-3.5.7-1.fc28 - package-announce - Fedora Mailing-ListsThird Party Advisory
-
https://access.redhat.com/errata/RHSA-2018:3041
RHSA-2018:3041 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://access.redhat.com/errata/RHBA-2019:0327
RHBA-2019:0327 - Bug Fix Advisory - Red Hat Customer PortalThird Party Advisory
-
https://www.debian.org/security/2018/dsa-4307
Debian -- Security Information -- DSA-4307-1 python3.5Third Party Advisory
-
https://lists.debian.org/debian-lts-announce/2018/09/msg00031.html
[SECURITY] [DLA 1520-1] python3.4 security updateMailing List;Third Party Advisory
-
https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbst03951en_us
HPESBST03951 rev.1 - HPE Command View Advanced EditionCVAE (Virtual Appliance only), Remote Denial of ServiceThird Party Advisory
-
https://access.redhat.com/errata/RHSA-2018:3505
RHSA-2018:3505 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
http://www.securitytracker.com/id/1042001
Python Backtracking Errors Let Remote Authenticated Users Cause the Target System to Crash - SecurityTrackerThird Party Advisory;VDB Entry
-
https://lists.debian.org/debian-lts-announce/2018/09/msg00030.html
[SECURITY] [DLA 1519-1] python2.7 security updateMailing List;Third Party Advisory
-
https://bugs.python.org/issue32981
Issue 32981: Catastrophic backtracking in poplib (CVE-2018-1060) and difflib (CVE-2018-1061) - Python trackerExploit;Issue Tracking;Vendor Advisory
-
http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00040.html
[security-announce] openSUSE-SU-2020:0086-1: important: Security updateMailing List;Third Party Advisory
-
https://access.redhat.com/errata/RHSA-2019:1260
RHSA-2019:1260 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JSKPGPZQNTAULHW4UH63KGOOUIDE4RRB/
[SECURITY] Fedora 29 Update: python35-3.5.7-1.fc29 - package-announce - Fedora Mailing-ListsThird Party Advisory
-
https://docs.python.org/3.6/whatsnew/changelog.html#python-3-6-5-release-candidate-1
Changelog — Python 3.6.9 documentationProduct;Vendor Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/46PVWY5LFP4BRPG3BVQ5QEEFYBVEXHCK/
[SECURITY] Fedora 30 Update: python35-3.5.7-1.fc30 - package-announce - Fedora Mailing-ListsThird Party Advisory
-
https://docs.python.org/3.5/whatsnew/changelog.html#python-3-5-6-release-candidate-1
Changelog — Python 3.5.7 documentationProduct;Vendor Advisory
-
https://usn.ubuntu.com/3817-1/
USN-3817-1: Python vulnerabilities | Ubuntu security noticesThird Party Advisory
-
https://www.debian.org/security/2018/dsa-4306
Debian -- Security Information -- DSA-4306-1 python2.7Third Party Advisory
Jump to