CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS
Percentile
79.6%
Modules/_pickle.c in Python before 3.7.1 has an integer overflow via a
large LONG_BINPUT value that is mishandled during a “resize to twice the
size” attempt. This issue might cause memory exhaustion, but is only
relevant if the pickle format is used for serializing tens or hundreds of
gigabytes of data. This issue is fixed in: v3.4.10, v3.4.10rc1; v3.5.10,
v3.5.10rc1, v3.5.7, v3.5.7rc1, v3.5.8, v3.5.8rc1, v3.5.8rc2, v3.5.9;
v3.6.10, v3.6.10rc1, v3.6.11, v3.6.11rc1, v3.6.12, v3.6.7, v3.6.7rc1,
v3.6.7rc2, v3.6.8, v3.6.8rc1, v3.6.9, v3.6.9rc1; v3.7.1, v3.7.1rc1,
v3.7.1rc2, v3.7.2, v3.7.2rc1, v3.7.3, v3.7.3rc1, v3.7.4, v3.7.4rc1,
v3.7.4rc2, v3.7.5, v3.7.5rc1, v3.7.6, v3.7.6rc1, v3.7.7, v3.7.7rc1, v3.7.8,
v3.7.8rc1, v3.7.9.
Author | Note |
---|---|
mdeslaur | bug says 2.7 is not affected |
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 14.04 | noarch | python3.4 | < 3.4.3-1ubuntu1~14.04.7+esm2 | UNKNOWN |
ubuntu | 14.04 | noarch | python3.5 | < 3.5.2-2ubuntu0~16.04.4~14.04.1+esm1 | UNKNOWN |
ubuntu | 16.04 | noarch | python3.5 | < 3.5.2-2ubuntu0~16.04.8 | UNKNOWN |
ubuntu | 18.04 | noarch | python3.6 | < 3.6.7-1~18.04 | UNKNOWN |
ubuntu | 18.10 | noarch | python3.6 | < 3.6.7-1~18.10 | UNKNOWN |
launchpad.net/bugs/cve/CVE-2018-20406
nvd.nist.gov/vuln/detail/CVE-2018-20406
python-security.readthedocs.io/vuln/pickle-load-dos.html
security-tracker.debian.org/tracker/CVE-2018-20406
ubuntu.com/security/notices/USN-4127-1
ubuntu.com/security/notices/USN-4127-2
ubuntu.com/security/notices/USN-6891-1
www.cve.org/CVERecord?id=CVE-2018-20406
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS
Percentile
79.6%