Search for vulnerabilities
Vulnerability details: VCID-x6nm-wmxr-aaad
Vulnerability ID VCID-x6nm-wmxr-aaad
Aliases CVE-2018-1000802
Summary Python Software Foundation Python (CPython) version 2.7 contains a CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in shutil module (make_archive function) that can result in Denial of service, Information gain via injection of arbitrary files on the system or entire drive. This attack appear to be exploitable via Passage of unfiltered user input to the function. This vulnerability appears to have been fixed in after commit add531a1e55b0a739b0f42582f1c9747e5649ace.
Status Published
Exploitability 0.5
Weighted Severity 8.8
Risk 4.4
Affected and Fixed Packages Package Details
Weaknesses (1)
CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')
System Score Found at
generic_textual Medium http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-1000802.html
cvssv3 6.5 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2018-1000802.json
epss 0.00962 https://api.first.org/data/v1/epss?cve=CVE-2018-1000802
epss 0.00962 https://api.first.org/data/v1/epss?cve=CVE-2018-1000802
epss 0.00962 https://api.first.org/data/v1/epss?cve=CVE-2018-1000802
epss 0.00962 https://api.first.org/data/v1/epss?cve=CVE-2018-1000802
epss 0.00962 https://api.first.org/data/v1/epss?cve=CVE-2018-1000802
epss 0.00962 https://api.first.org/data/v1/epss?cve=CVE-2018-1000802
epss 0.00962 https://api.first.org/data/v1/epss?cve=CVE-2018-1000802
epss 0.00962 https://api.first.org/data/v1/epss?cve=CVE-2018-1000802
epss 0.00962 https://api.first.org/data/v1/epss?cve=CVE-2018-1000802
epss 0.00962 https://api.first.org/data/v1/epss?cve=CVE-2018-1000802
epss 0.00962 https://api.first.org/data/v1/epss?cve=CVE-2018-1000802
epss 0.01653 https://api.first.org/data/v1/epss?cve=CVE-2018-1000802
epss 0.01653 https://api.first.org/data/v1/epss?cve=CVE-2018-1000802
epss 0.01653 https://api.first.org/data/v1/epss?cve=CVE-2018-1000802
epss 0.01653 https://api.first.org/data/v1/epss?cve=CVE-2018-1000802
epss 0.22499 https://api.first.org/data/v1/epss?cve=CVE-2018-1000802
epss 0.2441 https://api.first.org/data/v1/epss?cve=CVE-2018-1000802
epss 0.2441 https://api.first.org/data/v1/epss?cve=CVE-2018-1000802
epss 0.2441 https://api.first.org/data/v1/epss?cve=CVE-2018-1000802
epss 0.2441 https://api.first.org/data/v1/epss?cve=CVE-2018-1000802
epss 0.2441 https://api.first.org/data/v1/epss?cve=CVE-2018-1000802
epss 0.2441 https://api.first.org/data/v1/epss?cve=CVE-2018-1000802
epss 0.2441 https://api.first.org/data/v1/epss?cve=CVE-2018-1000802
epss 0.2441 https://api.first.org/data/v1/epss?cve=CVE-2018-1000802
epss 0.2441 https://api.first.org/data/v1/epss?cve=CVE-2018-1000802
epss 0.2441 https://api.first.org/data/v1/epss?cve=CVE-2018-1000802
epss 0.2441 https://api.first.org/data/v1/epss?cve=CVE-2018-1000802
epss 0.2441 https://api.first.org/data/v1/epss?cve=CVE-2018-1000802
epss 0.2441 https://api.first.org/data/v1/epss?cve=CVE-2018-1000802
epss 0.2441 https://api.first.org/data/v1/epss?cve=CVE-2018-1000802
epss 0.2441 https://api.first.org/data/v1/epss?cve=CVE-2018-1000802
epss 0.2441 https://api.first.org/data/v1/epss?cve=CVE-2018-1000802
epss 0.2441 https://api.first.org/data/v1/epss?cve=CVE-2018-1000802
epss 0.2441 https://api.first.org/data/v1/epss?cve=CVE-2018-1000802
epss 0.2441 https://api.first.org/data/v1/epss?cve=CVE-2018-1000802
epss 0.2441 https://api.first.org/data/v1/epss?cve=CVE-2018-1000802
epss 0.2441 https://api.first.org/data/v1/epss?cve=CVE-2018-1000802
epss 0.2441 https://api.first.org/data/v1/epss?cve=CVE-2018-1000802
epss 0.2441 https://api.first.org/data/v1/epss?cve=CVE-2018-1000802
epss 0.2441 https://api.first.org/data/v1/epss?cve=CVE-2018-1000802
epss 0.2441 https://api.first.org/data/v1/epss?cve=CVE-2018-1000802
epss 0.2441 https://api.first.org/data/v1/epss?cve=CVE-2018-1000802
epss 0.2441 https://api.first.org/data/v1/epss?cve=CVE-2018-1000802
epss 0.2441 https://api.first.org/data/v1/epss?cve=CVE-2018-1000802
epss 0.2441 https://api.first.org/data/v1/epss?cve=CVE-2018-1000802
epss 0.2441 https://api.first.org/data/v1/epss?cve=CVE-2018-1000802
epss 0.2441 https://api.first.org/data/v1/epss?cve=CVE-2018-1000802
epss 0.2441 https://api.first.org/data/v1/epss?cve=CVE-2018-1000802
epss 0.2441 https://api.first.org/data/v1/epss?cve=CVE-2018-1000802
epss 0.2441 https://api.first.org/data/v1/epss?cve=CVE-2018-1000802
epss 0.2441 https://api.first.org/data/v1/epss?cve=CVE-2018-1000802
epss 0.2441 https://api.first.org/data/v1/epss?cve=CVE-2018-1000802
epss 0.2441 https://api.first.org/data/v1/epss?cve=CVE-2018-1000802
epss 0.2441 https://api.first.org/data/v1/epss?cve=CVE-2018-1000802
epss 0.2441 https://api.first.org/data/v1/epss?cve=CVE-2018-1000802
epss 0.2441 https://api.first.org/data/v1/epss?cve=CVE-2018-1000802
epss 0.2441 https://api.first.org/data/v1/epss?cve=CVE-2018-1000802
epss 0.2441 https://api.first.org/data/v1/epss?cve=CVE-2018-1000802
epss 0.2441 https://api.first.org/data/v1/epss?cve=CVE-2018-1000802
epss 0.2441 https://api.first.org/data/v1/epss?cve=CVE-2018-1000802
epss 0.2441 https://api.first.org/data/v1/epss?cve=CVE-2018-1000802
epss 0.2441 https://api.first.org/data/v1/epss?cve=CVE-2018-1000802
epss 0.2441 https://api.first.org/data/v1/epss?cve=CVE-2018-1000802
epss 0.2441 https://api.first.org/data/v1/epss?cve=CVE-2018-1000802
epss 0.2441 https://api.first.org/data/v1/epss?cve=CVE-2018-1000802
epss 0.2441 https://api.first.org/data/v1/epss?cve=CVE-2018-1000802
epss 0.2441 https://api.first.org/data/v1/epss?cve=CVE-2018-1000802
epss 0.2441 https://api.first.org/data/v1/epss?cve=CVE-2018-1000802
epss 0.2441 https://api.first.org/data/v1/epss?cve=CVE-2018-1000802
epss 0.2441 https://api.first.org/data/v1/epss?cve=CVE-2018-1000802
epss 0.2441 https://api.first.org/data/v1/epss?cve=CVE-2018-1000802
epss 0.2441 https://api.first.org/data/v1/epss?cve=CVE-2018-1000802
epss 0.2441 https://api.first.org/data/v1/epss?cve=CVE-2018-1000802
epss 0.2441 https://api.first.org/data/v1/epss?cve=CVE-2018-1000802
epss 0.2441 https://api.first.org/data/v1/epss?cve=CVE-2018-1000802
epss 0.52776 https://api.first.org/data/v1/epss?cve=CVE-2018-1000802
rhbs medium https://bugzilla.redhat.com/show_bug.cgi?id=1631420
generic_textual Medium https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000802
generic_textual Low https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1060
generic_textual Low https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1061
generic_textual Medium https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14647
cvssv3 5.3 https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
generic_textual Medium https://mega.nz/#!JUFiCC4R!mq-jQ8ySFwIhX6WMDujaZuNBfttDVt7DETlfOIQE1ig
cvssv2 7.5 https://nvd.nist.gov/vuln/detail/CVE-2018-1000802
cvssv3 9.8 https://nvd.nist.gov/vuln/detail/CVE-2018-1000802
cvssv3.1 9.8 https://nvd.nist.gov/vuln/detail/CVE-2018-1000802
generic_textual Medium https://ubuntu.com/security/notices/USN-3817-1
generic_textual Medium https://ubuntu.com/security/notices/USN-3817-2
Reference id Reference type URL
http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00040.html
http://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-1000802.html
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2018-1000802.json
https://api.first.org/data/v1/epss?cve=CVE-2018-1000802
https://bugs.python.org/issue34540
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000802
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1060
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1061
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14647
https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
https://github.com/python/cpython/pull/8985
https://github.com/python/cpython/pull/8985/commits/add531a1e55b0a739b0f42582f1c9747e5649ace
https://lists.debian.org/debian-lts-announce/2018/09/msg00030.html
https://lists.debian.org/debian-lts-announce/2018/09/msg00031.html
https://mega.nz/#%21JUFiCC4R%21mq-jQ8ySFwIhX6WMDujaZuNBfttDVt7DETlfOIQE1ig
https://mega.nz/#!JUFiCC4R!mq-jQ8ySFwIhX6WMDujaZuNBfttDVt7DETlfOIQE1ig
https://security.netapp.com/advisory/ntap-20230309-0002/
https://ubuntu.com/security/notices/USN-3817-1
https://ubuntu.com/security/notices/USN-3817-2
https://usn.ubuntu.com/3817-1/
https://usn.ubuntu.com/3817-2/
https://www.debian.org/security/2018/dsa-4306
1631420 https://bugzilla.redhat.com/show_bug.cgi?id=1631420
909673 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=909673
cpe:2.3:a:python:python:*:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:python:python:*:*:*:*:*:*:*:*
cpe:2.3:a:python:python:2.7.0:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:python:python:2.7.0:*:*:*:*:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:esm:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:esm:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:esm:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:esm:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*
CVE-2018-1000802 https://nvd.nist.gov/vuln/detail/CVE-2018-1000802
No exploits are available.
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2018-1000802.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P Found at https://nvd.nist.gov/vuln/detail/CVE-2018-1000802
Exploitability (E) Access Vector (AV) Access Complexity (AC) Authentication (Au) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

high

functional

unproven

proof_of_concept

not_defined

local

adjacent_network

network

high

medium

low

multiple

single

none

none

partial

complete

none

partial

complete

none

partial

complete
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2018-1000802
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2018-1000802
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.83724
EPSS Score 0.00962
Published At Nov. 1, 2024, midnight
Date Actor Action Source VulnerableCode Version
There are no relevant records.