CVE-2018-14647 — Incorrect Usage of Seeds in Pseudo-Random Number Generator in Python

CWE-335 — Incorrect Usage of Seeds in Pseudo-Random Number Generator CWE-665 — Improper Initialization CWE-909 — Missing Initialization of Resource24 documents9 sources

Severity

7.5HIGHNVD

OSV7.6OSV3.6

EPSS

1.6%

top 18.05%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Python THE Python Project Python Canonical Ubuntu Linux +6 more

Timeline

PublishedSep 25

Latest updateJul 11

Description

Python's elementtree C accelerator failed to initialise Expat's hash salt during initialization. This could make it easy to conduct denial of service attacks against Expat by constructing an XML document that would cause pathological hash collisions in Expat's internal data structures, consuming large amounts CPU and RAM. The vulnerability exists in Python versions 3.7.0, 3.6.0 through 3.6.6, 3.5.0 through 3.5.6, 3.4.0 through 3.4.9, 2.7.0 through 2.7.15.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages6 packages

▶NVDpython/python2.7.0 — 2.7.15+4

▶CVEListV5the_python_project/python3.8, 3.7, 3.6, 3.5, 3.4, 2.7

▶NVDopensuse/leap15.1

▶NVDredhat/enterprise_linux_server7.0

▶NVDredhat/enterprise_linux_desktop7.0

Also affects: Debian Linux 8.0, 9.0, Fedora 30, Ubuntu Linux 12.04, 14.04, 16.04, 18.04

Patches

Patch: bugs.python.org ↗Patch: bugs.python.org ↗

🔴Vulnerability Details

OSV

python3.5, python3.6, python3.7, python3.8, python3.9, python3.10, python3.11, python3.12 vulnerabilities↗2024-07-11

▶

GHSA

GHSA-gvw2-fvqg-v8mm: Python's elementtree C accelerator failed to initialise Expat's hash salt during initialization↗2022-05-13

▶

OSV

python2.7, python3.4, python3.5 vulnerabilities↗2018-11-13

▶

CVEList

CVE-2018-14647: Python's elementtree C accelerator failed to initialise Expat's hash salt during initialization↗2018-09-25

▶

OSV

CVE-2018-14647: Python's elementtree C accelerator failed to initialise Expat's hash salt during initialization↗2018-09-25

▶

📋Vendor Advisories

Ubuntu

Python vulnerabilities↗2024-07-11

▶

Ubuntu

Python vulnerabilities↗2018-11-15

▶

Ubuntu

Python vulnerabilities↗2018-11-13

▶

Red Hat

python: Missing salt initialization in _elementtree.c module↗2018-09-22

▶

Debian

CVE-2018-14647: python2.7 - Python's elementtree C accelerator failed to initialise Expat's hash salt during...↗2018

▶

💬Community

HackerOne

XML hash collision DoS vulnerability in Python's xml.etree module↗2018-10-31

▶

Bugzilla

CVE-2018-14647 python36: python: Missing salt initialization in _elementtree.c module [fedora-all]↗2018-09-25

▶

Bugzilla

CVE-2018-14647 python3: python: Missing salt initialization in _elementtree.c module [fedora-all]↗2018-09-24

▶

Bugzilla

CVE-2018-14647 python34: python: Missing salt initialization in _elementtree.c module [fedora-all]↗2018-09-24

▶

Bugzilla

CVE-2018-14647 python26: python: Missing salt initialization in _elementtree.c module [fedora-all]↗2018-09-24

▶