Your submission was sent successfully! Close

CVE-2018-1000802

Published: 18 September 2018

Python Software Foundation Python (CPython) version 2.7 contains a CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in shutil module (make_archive function) that can result in Denial of service, Information gain via injection of arbitrary files on the system or entire drive. This attack appear to be exploitable via Passage of unfiltered user input to the function. This vulnerability appears to have been fixed in after commit add531a1e55b0a739b0f42582f1c9747e5649ace.

Priority

Medium

CVSS 3 base score: 9.8

Status

Package Release Status
python2.7
Launchpad, Ubuntu, Debian
bionic
Released (2.7.15~rc1-1ubuntu0.1)
cosmic Not vulnerable
(2.7.15-4ubuntu4)
precise
Released (2.7.3-0ubuntu3.11)
trusty
Released (2.7.6-8ubuntu0.5)
upstream Needs triage

xenial
Released (2.7.12-1ubuntu0~16.04.4)
python3.4
Launchpad, Ubuntu, Debian
bionic Does not exist

cosmic Does not exist

precise Does not exist

trusty
Released (3.4.3-1ubuntu1~14.04.7)
upstream Needs triage

xenial Does not exist

python3.5
Launchpad, Ubuntu, Debian
bionic Does not exist

cosmic Does not exist

precise Does not exist

trusty Not vulnerable
(code present)
upstream Needs triage

xenial Not vulnerable
(code present)
python3.6
Launchpad, Ubuntu, Debian
bionic Not vulnerable
(code not present)
cosmic Not vulnerable
(code not present)
precise Does not exist

trusty Does not exist

upstream Needs triage

xenial Does not exist

python3.7
Launchpad, Ubuntu, Debian
bionic Not vulnerable
(code not present)
cosmic Not vulnerable
(code not present)
precise Does not exist

trusty Does not exist

upstream Needs triage

xenial Does not exist