Vulnerability CVE-2018-1000802
Published: 2018-09-18

Description:
Python Software Foundation Python (CPython) version 2.7 contains a CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in shutil module (make_archive function) that can result in Denial of service, Information gain via injection of arbitrary files on the system or entire drive. This attack appear to be exploitable via Passage of unfiltered user input to the function. This vulnerability appears to have been fixed in after commit add531a1e55b0a739b0f42582f1c9747e5649ace.

Type:

CWE-78

 (Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') )

CVSS2 => (AV:N/AC:L/Au:N/C:P/I:P/A:P)

CVSS Base Score
Impact Subscore
Exploitability Subscore
7.5/10
6.4/10
10/10
Exploit range
Attack complexity
Authentication
Remote
Low
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
Partial
Partial
Affected software
Python -> Python 
Debian -> Debian linux 
Canonical -> Ubuntu linux 

 References:
https://bugs.python.org/issue34540
https://github.com/python/cpython/pull/8985
https://github.com/python/cpython/pull/8985/commits/add531a1e55b0a739b0f42582f1c9747e5649ace
https://lists.debian.org/debian-lts-announce/2018/09/msg00030.html
https://lists.debian.org/debian-lts-announce/2018/09/msg00031.html
https://mega.nz/#!JUFiCC4R!mq-jQ8ySFwIhX6WMDujaZuNBfttDVt7DETlfOIQE1ig
https://usn.ubuntu.com/3817-1/
https://usn.ubuntu.com/3817-2/
https://www.debian.org/security/2018/dsa-4306
Copyright 2024, cxsecurity.com

 

Back to Top