CVE-2018-1000807
Published: 8 October 2018
Python Cryptographic Authority pyopenssl version prior to version 17.5.0 contains a CWE-416: Use After Free vulnerability in X509 object handling that can result in Use after free can lead to possible denial of service or remote code execution.. This attack appear to be exploitable via Depends on the calling application and if it retains a reference to the memory.. This vulnerability appears to have been fixed in 17.5.0.
Notes
Author | Note |
---|---|
mdeslaur | requires python-cryptography 2.1.4 which adds X509_up_ref, see https://github.com/pyca/cryptography/pull/4028 |
Priority
Status
Package | Release | Status |
---|---|---|
pyopenssl Launchpad, Ubuntu, Debian |
bionic |
Not vulnerable
(17.5.0-1)
|
cosmic |
Not vulnerable
(17.5.0-1)
|
|
trusty |
Not vulnerable
(code not present)
|
|
upstream |
Released
(17.5.0)
|
|
xenial |
Released
(0.15.1-2ubuntu0.2)
|
|
Patches: upstream: https://github.com/pyca/pyopenssl/pull/723 upstream: https://github.com/pyca/pyopenssl/commit/e73818600065821d588af475b024f4eb518c3509 |
Severity score breakdown
Parameter | Value |
---|---|
Base score | 8.1 |
Attack vector | Network |
Attack complexity | High |
Privileges required | None |
User interaction | None |
Scope | Unchanged |
Confidentiality | High |
Integrity impact | High |
Availability impact | High |
Vector | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |