CVE-2017-18207 — Divide By Zero in Python

CWE-369 — Divide By Zero4 documents4 sources

Severity

6.5MEDIUMNVD

EPSS

0.6%

top 31.41%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Python Msrc Cbl2 Python2 2.7.18-8 ON CBL Mariner 2.0 Msrc CBL Mariner 1.0 ARM +4 more

Timeline

PublishedMar 1

Latest updateMay 13

Description

The Wave_read._read_fmt_chunk function in Lib/wave.py in Python through 3.6.4 does not ensure a nonzero channel value, which allows attackers to cause a denial of service (divide-by-zero and exception) via a crafted wav format audio file. NOTE: the vendor disputes this issue because Python applications "need to be prepared to handle a wide variety of exceptions.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:HExploitability: 2.8 | Impact: 3.6

Affected Packages7 packages

▶NVDpython/python3.6.4

▶msrcmsrc/cm1_python2_2.7.18-5_on_cbl_mariner_1.0

▶msrcmsrc/cbl2_python2_2.7.18-8_on_cbl_mariner_2.0

▶msrcmsrc/cbl_mariner_1.0_arm

▶msrcmsrc/cbl_mariner_1.0_x64

🔴Vulnerability Details

GHSA

GHSA-h3x9-7xx2-w832: ** DISPUTED ** The Wave_read↗2022-05-13

▶

OSV

CVE-2017-18207: The Wave_read↗2018-03-01

▶

📋Vendor Advisories

Microsoft

The Wave_read._read_fmt_chunk function in Lib/wave.py in Python through 3.6.4 does not ensure a nonzero channel value which allows attackers to cause a denial of service (divide-by-zero and exception)↗2018-03-13

▶