#VU15760 XXE attack in Python


| Updated: 2018-11-08

Vulnerability identifier: #VU15760

Vulnerability risk: Low

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-14647

CWE-ID: CWE-611

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Python
Universal components / Libraries / Scripting languages

Vendor: Python.org

Description
The vulnerability allows a remote attacker to conduct XXE-attack.

The vulnerability exists due to improper handling of XML External Entities (XXEs) when parsing an XML file. A remote attacker can trick the victim into open an XML file that submits malicious input, trigger pathological hash collisions in Expat's internal data structures, consume large amounts CPU and RAM, and cause a denial of service (DoS) condition.

Mitigation
Install update from vendor's website.

Vulnerable software versions

Python: 2.7, 3.4, 3.6, 3.5, 3.8, 3.7

External links
http://bugs.python.org/issue34623

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Ubuntu update for python3.10
Multiple vulnerabilities in Dell EMC Data Computing Appliance (DCA)
Multiple vulnerabilities in Dell EMC Unity Family
Multiple vulnerabilities in Dell EMC Cyber Recovery
Red Hat Enterprise Linux 7 update for python
Red Hat Enterprise Linux 7 update for python
Red Hat Enterprise Linux 7 update for python
Red Hat update for rh-python36-python
Red Hat update for python
Red Hat Software Collections update for python27-python and python27-python-jinja2