CVE-2018-1000802Command Injection in Python

CWE-77Command Injection13 documents8 sources
Severity
9.8CRITICALNVD
OSV3.6
EPSS
22.3%
top 4.17%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
5
PythonDebian Python2.7Canonical Ubuntu Linux+2 more
Timeline
PublishedSep 18
Latest updateMay 13

Description

Python Software Foundation Python (CPython) version 2.7 contains a CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in shutil module (make_archive function) that can result in Denial of service, Information gain via injection of arbitrary files on the system or entire drive. This attack appear to be exploitable via Passage of unfiltered user input to the function. This vulnerability appears to have been fixed in after commit add531a1e55b0a

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages3 packages

NVDpython/python2.7.02.7.16
debiandebian/python2.7< python2.7 2.7.15-5 (bullseye)
NVDopensuse/leap15.1

Also affects: Debian Linux 8.0, 9.0, Ubuntu Linux 12.04, 14.04, 16.04, 18.04

Patches

Patch: bugs.python.orgPatch: github.comPatch: github.com

🔴Vulnerability Details

3
GHSA
GHSA-grfr-pqc4-fqmw: Python Software Foundation Python (CPython) version 22022-05-13
OSV
python2.7, python3.4, python3.5 vulnerabilities2018-11-13
OSV
CVE-2018-1000802: Python Software Foundation Python (CPython) version 22018-09-18

📋Vendor Advisories

4
Ubuntu
Python vulnerabilities2018-11-15
Ubuntu
Python vulnerabilities2018-11-13
Red Hat
python: Command injection in the shutil module2018-08-29
Debian
CVE-2018-1000802: python2.7 - Python Software Foundation Python (CPython) version 2.7 contains a CWE-77: Impro...2018

📄Research Papers

2
arXiv
An Analysis of Security Vulnerabilities in Container Images for Scientific Data Analysis2021-03-17
arXiv
Blindspots in Python and Java APIs Result in Vulnerable Code2021-03-10

💬Community

3
Bugzilla
CVE-2018-1000802 python2: python: Command injection in the shutil module [fedora-all]2018-09-21
Bugzilla
CVE-2018-1000802 python: Command injection in the shutil module2018-09-20
Bugzilla
CVE-2018-1000802 python26: python: Command injection in the shutil module [fedora-all]2018-09-20