CVE-2012-1150 — Missing Release of Memory after Effective Lifetime in Python

CWE-310 CWE-401 — Missing Release of Memory after Effective Lifetime19 documents8 sources

Severity

5.0MEDIUMNVD

NVD4.3

EPSS

1.7%

top 17.45%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Debian Python2.7 Apple MAC OS X Python +2 more

Timeline

PublishedOct 5

Latest updateMay 13

Description

Python before 2.6.8, 2.7.x before 2.7.3, 3.x before 3.1.5, and 3.2.x before 3.2.3 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table.

CVSS vector

AV:N/AC:L/C:N/I:N/A:PExploitability: 10.0 | Impact: 2.9

Affected Packages5 packages

▶debiandebian/python2.7< python2.7 2.7.3~rc1-1 (bullseye)+1

▶NVDpython/python2.6.7+74

▶NVDapple/mac_os_x10.10.4

▶vmwarevmware/vmware_esxi

▶vmwarevmware/vmware_vsphere

Patches

Patch: python.org ↗Patch: python.org ↗Patch: python.org ↗

🔴Vulnerability Details

GHSA

GHSA-9mx9-f554-rw6j: Python before 2↗2022-05-13

▶

GHSA

GHSA-cjvq-9vmj-3482: Python 2↗2022-05-13

▶

OSV

CVE-2013-7040: Python 2↗2014-05-19

▶

OSV

CVE-2012-1150: Python before 2↗2012-10-05

▶

📋Vendor Advisories

Red Hat

python: hash secret can be recovered remotely↗2013-12-09

▶

Debian

CVE-2013-7040: python2.7 - Python 2.7 before 3.4 only uses the last eight bits of the prefix to randomize h...↗2013

▶

VMware

VMware security updates for vSphere API and ESX Service Console↗2012-11-15

▶

Ubuntu

Python 3.1 vulnerabilities↗2012-10-24

▶

Ubuntu

Python 3.2 vulnerabilities↗2012-10-23

▶

💬Community

Bugzilla

CVE-2013-7040 python: hash secret can be recovered remotely↗2013-12-10

▶

Bugzilla

CVE-2012-1150 python: hash table collisions CPU usage DoS (oCERT-2011-003) [fedora-all]↗2012-03-12

▶

Bugzilla

CVE-2012-1150 python: hash table collisions CPU usage DoS (oCERT-2011-003)↗2011-11-01

▶