Vulnerability Details : CVE-2018-1061
python before versions 2.7.15, 3.4.9, 3.5.6rc1, 3.6.5rc1 and 3.7.0 is vulnerable to catastrophic backtracking in the difflib.IS_LINE_JUNK method. An attacker could use this flaw to cause denial of service.
Vulnerability category: Input validationDenial of service
Products affected by CVE-2018-1061
- cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:ansible_tower:3.3:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:esm:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
- cpe:2.3:o:fedoraproject:fedora:28:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:29:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*
- cpe:2.3:a:python:python:*:*:*:*:*:*:*:*
- cpe:2.3:a:python:python:*:*:*:*:*:*:*:*
- cpe:2.3:a:python:python:*:*:*:*:*:*:*:*
- cpe:2.3:a:python:python:*:*:*:*:*:*:*:*
- cpe:2.3:a:python:python:3.7.0:beta3:*:*:*:*:*:*
- cpe:2.3:a:python:python:3.7.0:beta4:*:*:*:*:*:*
- cpe:2.3:a:python:python:3.7.0:alpha3:*:*:*:*:*:*
- cpe:2.3:a:python:python:3.7.0:alpha4:*:*:*:*:*:*
- cpe:2.3:a:python:python:3.7.0:beta1:*:*:*:*:*:*
- cpe:2.3:a:python:python:3.7.0:beta2:*:*:*:*:*:*
- cpe:2.3:a:python:python:3.7.0:alpha1:*:*:*:*:*:*
- cpe:2.3:a:python:python:3.7.0:alpha2:*:*:*:*:*:*
- cpe:2.3:a:python:python:3.7.0:beta5:*:*:*:*:*:*
- cpe:2.3:a:python:python:3.7.0:rc1:*:*:*:*:*:*
Threat overview for CVE-2018-1061
Top countries where our scanners detected CVE-2018-1061
Top open port discovered on systems with this issue
8123
IPs affected by CVE-2018-1061 182,813
Threat actors abusing to this issue?
Yes
Find out if you* are
affected by CVE-2018-1061!
*Directly or indirectly through your vendors, service providers and 3rd parties.
Powered by
attack surface intelligence
from SecurityScorecard.
Exploit prediction scoring system (EPSS) score for CVE-2018-1061
0.63%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 77 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2018-1061
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:N/I:N/A:P |
10.0
|
2.9
|
NIST | |
7.5
|
HIGH | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
3.9
|
3.6
|
NIST | |
6.5
|
MEDIUM | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H |
2.8
|
3.6
|
Red Hat, Inc. |
CWE ids for CVE-2018-1061
-
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.Assigned by: secalert@redhat.com (Secondary)
References for CVE-2018-1061
-
https://access.redhat.com/errata/RHSA-2019:3725
RHSA-2019:3725 - Security Advisory - Red Hat Customer Portal
-
https://usn.ubuntu.com/3817-2/
USN-3817-2: Python vulnerabilities | Ubuntu security noticesThird Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AEZ5IQT7OF7Q2NCGIVABOWYGKO7YU3NJ/
[SECURITY] Fedora 28 Update: python35-3.5.7-1.fc28 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
https://access.redhat.com/errata/RHSA-2018:3041
RHSA-2018:3041 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://access.redhat.com/errata/RHBA-2019:0327
RHBA-2019:0327 - Bug Fix Advisory - Red Hat Customer PortalThird Party Advisory
-
https://www.debian.org/security/2018/dsa-4307
Debian -- Security Information -- DSA-4307-1 python3.5Third Party Advisory
-
https://lists.debian.org/debian-lts-announce/2018/09/msg00031.html
[SECURITY] [DLA 1520-1] python3.4 security updateMailing List;Third Party Advisory
-
https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbst03951en_us
HPESBST03951 rev.1 - HPE Command View Advanced EditionCVAE (Virtual Appliance only), Remote Denial of Service
-
https://access.redhat.com/errata/RHSA-2018:3505
RHSA-2018:3505 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
http://www.securitytracker.com/id/1042001
Python Backtracking Errors Let Remote Authenticated Users Cause the Target System to Crash - SecurityTrackerThird Party Advisory;VDB Entry
-
https://lists.debian.org/debian-lts-announce/2018/09/msg00030.html
[SECURITY] [DLA 1519-1] python2.7 security updateMailing List;Third Party Advisory
-
https://bugs.python.org/issue32981
Issue 32981: Catastrophic backtracking in poplib (CVE-2018-1060) and difflib (CVE-2018-1061) - Python trackerVendor Advisory
-
http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00040.html
[security-announce] openSUSE-SU-2020:0086-1: important: Security update
-
https://access.redhat.com/errata/RHSA-2019:1260
RHSA-2019:1260 - Security Advisory - Red Hat Customer Portal
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JSKPGPZQNTAULHW4UH63KGOOUIDE4RRB/
[SECURITY] Fedora 29 Update: python35-3.5.7-1.fc29 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
https://docs.python.org/3.6/whatsnew/changelog.html#python-3-6-5-release-candidate-1
Changelog — Python 3.6.9 documentationVendor Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/46PVWY5LFP4BRPG3BVQ5QEEFYBVEXHCK/
[SECURITY] Fedora 30 Update: python35-3.5.7-1.fc30 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
https://docs.python.org/3.5/whatsnew/changelog.html#python-3-5-6-release-candidate-1
Changelog — Python 3.5.7 documentationVendor Advisory
-
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-1061
1549192 – (CVE-2018-1061) CVE-2018-1061 python: DOS via regular expression backtracking in difflib.IS_LINE_JUNK method in difflibIssue Tracking
-
https://usn.ubuntu.com/3817-1/
USN-3817-1: Python vulnerabilities | Ubuntu security noticesThird Party Advisory
-
https://www.debian.org/security/2018/dsa-4306
Debian -- Security Information -- DSA-4306-1 python2.7Third Party Advisory
Jump to