CVE-2018-20406

Impact:
Low
Public Date:
2018-09-21
Bugzilla:
1664509: CVE-2018-20406 python: Integer overflow in Modules/_pickle.c allows for memory exhaustion if serializing gigabytes of data

The MITRE CVE dictionary describes this issue as:

Modules/_pickle.c in Python before 3.7.1 has an integer overflow via a large LONG_BINPUT value that is mishandled during a "resize to twice the size" attempt. This issue might cause memory exhaustion, but is only relevant if the pickle format is used for serializing tens or hundreds of gigabytes of data.

Find out more about CVE-2018-20406 from the MITRE CVE dictionary dictionary and NIST NVD.

Statement

This issue did not affect the versions of python as shipped with Red Hat Enterprise Linux 5, 6 and 7.

CVSS v3 metrics

NOTE: The following CVSS v3 metrics and score provided are preliminary and subject to review.

CVSS3 Base Score 5.9
CVSS3 Base Metrics CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector Network
Attack Complexity High
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality None
Integrity Impact None
Availability Impact High

Affected Packages State

Platform Package State
Red Hat Software Collections for Red Hat Enterprise Linux rh-python35-python Affected
Red Hat Software Collections for Red Hat Enterprise Linux rh-python36-python Affected
Red Hat Enterprise Linux 8 python36 Affected
Red Hat Enterprise Linux 8 python3 Not affected
Red Hat Enterprise Linux 8 python36:3.6/python36 Affected
Red Hat Enterprise Linux 7 python Not affected
Red Hat Enterprise Linux 6 python Not affected
Red Hat Enterprise Linux 5 python Not affected

External References

Last Modified

CVE description copyright © 2017, The MITRE Corporation