#VU15760 XXE attack in Python - CVE-2018-14647
Published: November 8, 2018 / Updated: November 8, 2018
Vulnerability identifier: #VU15760
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2018-14647
CWE-ID: CWE-611
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Python
Python
Software vendor:
Python.org
Python.org
Description
The vulnerability allows a remote attacker to conduct XXE-attack.
The vulnerability exists due to improper handling of XML External Entities (XXEs) when parsing an XML file. A remote attacker can trick the victim into open an XML file that submits malicious input, trigger pathological hash collisions in Expat's internal data structures, consume large amounts CPU and RAM, and cause a denial of service (DoS) condition.
Remediation
Install update from vendor's website.