CVE-2018-1000808

MEDIUM

Python Cryptographic Authority pyopenssl <17.5.0 - Use After Free

Title source: llm

Description

Python Cryptographic Authority pyopenssl version Before 17.5.0 contains a CWE - 401 : Failure to Release Memory Before Removing Last Reference vulnerability in PKCS #12 Store that can result in Denial of service if memory runs low or is exhausted. This attack appear to be exploitable via Depends upon calling application, however it could be as simple as initiating a TLS connection. Anything that would cause the calling application to reload certificates from a PKCS #12 store.. This vulnerability appears to have been fixed in 17.5.0.

References (4)

Core 4

Core References

Patch, Third Party Advisory x_refsource_confirm

https://github.com/pyca/pyopenssl/pull/723

Third Party Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2019:0085

Third Party Advisory vendor-advisory x_refsource_ubuntu

https://usn.ubuntu.com/3813-1/

Mailing List vendor-advisory x_refsource_suse

http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00014.html

Scores

CVSS v3 5.9

EPSS 0.0016

EPSS Percentile 36.6%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

Details

CWE

CWE-404

Status published

Products (8)

canonical/ubuntu_linux 16.04

pyopenssl_project/pyopenssl < 17.5.0

pypi/pyopenssl 0 - 17.5.0PyPI

redhat/enterprise_linux_desktop 7.0

redhat/enterprise_linux_server 7.0

redhat/enterprise_linux_workstation 7.0

redhat/gluster_storage 3.0

redhat/openstack 13

Published Oct 08, 2018

Tracked Since Feb 18, 2026