DEBIAN-CVE-2018-1000802

Advisory lineage Upstream: 1 Downstream: 3

Upstream

CVE-2018-1000802

Downstream

DLA-1519-1 DLA-1520-1 DSA-4306-1

Published: 18 Sept 2018, 17:29

Last modified:28 Apr 2026, 20:18

Vulnerability Summary

Overall Risk (default)

high

70/100

CVSS Score

9.8 CRITICAL

3.1 (osv_debian)

EPSS Score

No data

KEV

Not listed

Ransomware

No reports

Public exploits

None found

Dark Web

Not detected

Timeline

18 Sept 2018, 17:29

Published

Vulnerability first disclosed

28 Apr 2026, 20:18

Last Modified

Vulnerability information updated

Description

Python Software Foundation Python (CPython) version 2.7 contains a CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') vulnerability in shutil module (make_archive function) that can result in Denial of service, Information gain via injection of arbitrary files on the system or entire drive. This attack appear to be exploitable via Passage of unfiltered user input to the function. This vulnerability appears to have been fixed in after commit add531a1e55b0a739b0f42582f1c9747e5649ace.

CVSS Metrics

v3.1•CRITICAL•Score: 9.8CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected Systems

debian•python2.7
< 2.7.15-5

References (1)

https://security-tracker.debian.org/tracker/CVE-2018-1000802