CVE-2017-1000158

CRITICAL

CPython <2.7.14 - Buffer Overflow

Title source: llm

Description

CPython (aka Python) up to 2.7.13 is vulnerable to an integer overflow in the PyString_DecodeEscape function in stringobject.c, resulting in heap-based buffer overflow (and possible arbitrary code execution)

References (9)

[Third Party Advisory, VDB Entry] http://www.securitytracker.com/id/1039890

[Issue Tracking, Patch, Vendor Advisory] https://bugs.python.org/issue30657

[Mailing List, Third Party Advisory] https://lists.debian.org/debian-lts-announce/2017/11/msg00035.html

[Mailing List, Third Party Advisory] https://lists.debian.org/debian-lts-announce/2017/11/msg00036.html

[Mailing List, Third Party Advisory] https://lists.debian.org/debian-lts-announce/2018/09/msg00030.html

[Mailing List, Third Party Advisory] https://lists.debian.org/debian-lts-announce/2018/09/msg00031.html

[Third Party Advisory] https://security.gentoo.org/glsa/201805-02

[Third Party Advisory] https://www.debian.org/security/2018/dsa-4307

[Vendor Advisory] https://security.netapp.com/advisory/ntap-20230216-0001/

Scores

CVSS v3 9.8

EPSS 0.0372

EPSS Percentile 87.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Classification

CWE

CWE-190

Status draft

Affected Products (4)

python/python < 2.7.15

debian/debian_linux

Timeline

Published Nov 17, 2017

Tracked Since Feb 18, 2026