Red Hat Enterprise Linux 8 update for the python38:3.8 module
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 5 |
| CVE-ID | CVE-2019-20477 CVE-2019-20907 CVE-2020-1747 CVE-2020-8492 CVE-2020-14422 |
| CWE-ID | CWE-284 CWE-835 CWE-20 CWE-399 CWE-400 |
| Exploitation vector | Network |
| Public exploit | Public exploit code for vulnerability #4 is available. |
| Vulnerable software Subscribe |
Red Hat Enterprise Linux for ARM 64 Operating systems & Components / Operating system Red Hat Enterprise Linux for Power, little endian Operating systems & Components / Operating system Red Hat Enterprise Linux for IBM z Systems Operating systems & Components / Operating system Red Hat Enterprise Linux for x86_64 Operating systems & Components / Operating system |
| Vendor | Red Hat Inc. |
Security Bulletin
This security bulletin contains information about 5 vulnerabilities.
1) Improper access control
EUVDB-ID: #VU25542
Risk: High
CVSSv3.1:
CVE-ID: CVE-2019-20477
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper access restrictions in the "load" and "load_all" functions. A remote attacker can bypass implemented security restrictions and gain unauthorized access to the application.
MitigationInstall updates from vendor's website.
Red Hat Enterprise Linux for ARM 64: 8
Red Hat Enterprise Linux for Power, little endian: 8
Red Hat Enterprise Linux for IBM z Systems: 8
Red Hat Enterprise Linux for x86_64: 8.0
CPE2.3 External linkshttp://access.redhat.com/errata/RHSA-2020:4641
Q & A
Can this vulnerability be exploited remotely?
Is there known malware, which exploits this vulnerability?
2) Infinite loop
EUVDB-ID: #VU32881
Risk: Medium
CVSSv3.1:
CVE-ID: CVE-2019-20907
CWE-ID:
CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to infinite loop In Lib/tarfile.py in Python. A remote attacker can create a specially crafted TAR archive leading to an infinite loop when opened by tarfile.open, because _proc_pax lacks header validation.
MitigationInstall updates from vendor's website.
Red Hat Enterprise Linux for ARM 64: 8
Red Hat Enterprise Linux for Power, little endian: 8
Red Hat Enterprise Linux for IBM z Systems: 8
Red Hat Enterprise Linux for x86_64: 8.0
CPE2.3 External linkshttp://access.redhat.com/errata/RHSA-2020:4641
Q & A
Can this vulnerability be exploited remotely?
Is there known malware, which exploits this vulnerability?
3) Input validation error
EUVDB-ID: #VU25823
Risk: High
CVSSv3.1:
CVE-ID: CVE-2020-1747
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to insufficient validation of user-supplied input when processing untrusted YAML files passed via the "full_load" method or with the "FullLoader" loader. A remote attacker can pass specially crafted input to the application and execute arbitrary code by abusing the python/object/new constructor.
MitigationInstall updates from vendor's website.
Red Hat Enterprise Linux for ARM 64: 8
Red Hat Enterprise Linux for Power, little endian: 8
Red Hat Enterprise Linux for IBM z Systems: 8
Red Hat Enterprise Linux for x86_64: 8.0
CPE2.3 External linkshttp://access.redhat.com/errata/RHSA-2020:4641
Q & A
Can this vulnerability be exploited remotely?
Is there known malware, which exploits this vulnerability?
4) Resource management error
EUVDB-ID: #VU25631
Risk: Medium
CVSSv3.1:
CVE-ID: CVE-2020-8492
CWE-ID:
CWE-399 - Resource Management Errors
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper input validation in urllib.request.AbstractBasicAuthHandler when processing HTTP responses. A remote attacker who controls a HTTP server can send a specially crafted HTTP response to the client application and conduct Regular Expression Denial of Service (ReDoS) attack.
MitigationInstall updates from vendor's website.
Red Hat Enterprise Linux for ARM 64: 8
Red Hat Enterprise Linux for Power, little endian: 8
Red Hat Enterprise Linux for IBM z Systems: 8
Red Hat Enterprise Linux for x86_64: 8.0
CPE2.3 External linkshttp://access.redhat.com/errata/RHSA-2020:4641
Q & A
Can this vulnerability be exploited remotely?
Is there known malware, which exploits this vulnerability?
5) Resource exhaustion
EUVDB-ID: #VU29544
Risk: Medium
CVSSv3.1:
CVE-ID: CVE-2020-14422
CWE-ID:
CWE-400 - Resource exhaustion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application improperly computes hash values in the IPv4Interface and IPv6Interface classes within the Lib/ipaddress.py in Python. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack if an application is affected by the performance of a dictionary containing IPv4Interface or IPv6Interface objects, and this attacker can cause many dictionary entries to be created.
MitigationInstall updates from vendor's website.
Red Hat Enterprise Linux for ARM 64: 8
Red Hat Enterprise Linux for Power, little endian: 8
Red Hat Enterprise Linux for IBM z Systems: 8
Red Hat Enterprise Linux for x86_64: 8.0
CPE2.3 External linkshttp://access.redhat.com/errata/RHSA-2020:4641
Q & A
Can this vulnerability be exploited remotely?
Is there known malware, which exploits this vulnerability?
