XXE attack in python2-tkinter (Alpine package)
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2018-14647 |
| CWE-ID | CWE-611 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
python2-tkinter (Alpine package) Operating systems & Components / Operating system package or component |
| Vendor | Alpine Linux Development Team |
Security Bulletin
This security bulletin contains one low risk vulnerability.
1) XXE attack
EUVDB-ID: #VU15760
Risk: Low
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-14647
CWE-ID:
CWE-611 - Improper Restriction of XML External Entity Reference ('XXE')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to conduct XXE-attack.
The vulnerability exists due to improper handling of XML External Entities (XXEs) when parsing an XML file. A remote attacker can trick the victim into open an XML file that submits malicious input, trigger pathological hash collisions in Expat's internal data structures, consume large amounts CPU and RAM, and cause a denial of service (DoS) condition.
MitigationInstall update from vendor's website.
Vulnerable software versionspython2-tkinter (Alpine package): 2.7.16-r0
External linkshttp://git.alpinelinux.org/aports/commit/?id=5ad0ec7da1064361cc74d56edf7524960f49ef9b
http://git.alpinelinux.org/aports/commit/?id=5372bc29f308df62681eb2d705259cd5cc9b5448
http://git.alpinelinux.org/aports/commit/?id=c01f27f5016fb801d36ffea67177a9f2f6b6f784
http://git.alpinelinux.org/aports/commit/?id=881a54816216d011d1d27286df2693851c86caef
http://git.alpinelinux.org/aports/commit/?id=40a4951871b0a2e718de6a07e0772730fc280d06
http://git.alpinelinux.org/aports/commit/?id=63295e4a667669a5dadf360d6a5e0d3ca67af2c1
http://git.alpinelinux.org/aports/commit/?id=9b8d163f3a9143f9623a5320355ce9901a8f0feb
http://git.alpinelinux.org/aports/commit/?id=2757235ef94f59233d2dc36eff13adabb4b91306
http://git.alpinelinux.org/aports/commit/?id=fa1c2c7dc62ae0bcfa5d21d98e7646ba5a21c963
http://git.alpinelinux.org/aports/commit/?id=47b45e6408f07c2789e3662d06f25e1c434a9d6a
http://git.alpinelinux.org/aports/commit/?id=66574119245fb529a95130df97be423d3f6218e8
http://git.alpinelinux.org/aports/commit/?id=9d48a71d9895becc1428522aee341f26034aa3ab
http://git.alpinelinux.org/aports/commit/?id=45bea4333be5abe733052c6122bc6eb77f85aa13
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
