PyPi: Oci-Cli

CVE-2018-1000808

Safety vulnerability ID: 36804

This vulnerability was reviewed by experts

The information on this page was manually curated by our Cybersecurity Intelligence Team.

Created at Oct 08, 2018 Updated at Dec 10, 2024

Scan your Python projects for vulnerabilities →

Advisory

Oci-cli 2.4.40 includes a fix for CVE-2018-1000808: Python Cryptographic Authority pyopenssl version Before 17.5.0 contains a CWE - 401 : Failure to Release Memory Before Removing Last Reference vulnerability in PKCS #12 Store that can result in Denial of service if memory runs low or is exhausted. This attack appear to be exploitable via Depends upon calling application, however it could be as simple as initiating a TLS connection. Anything that would cause the calling application to reload certificates from a PKCS #12 store.. This vulnerability appears to have been fixed in 17.5.0.

Affected package

oci-cli

Latest version: 3.50.3

Oracle Cloud Infrastructure CLI

Affected versions

Fixed versions

Vulnerability changelog

-------------------
Added
~~~~~
* Support for sparse diskgroup option with Exadata shape in the following command:

* (``oci db system launch``)

* Support for Data Guard on VM DB Shape

* Support create option with-new-db-system along with from-existing-db-system

* (``oci db data-guard-association create with-new-db-system``)

* Support for tagging Zones in the DNS service.

* Block Storage paravirtualized-encryption-in-transit feature

* Ability to enable encryption-in-transit for paravirtualized volume attachment for both boot volumes and data volumes (``oci compute volume-attachment attach-paravirtualized-volume``)

* Support for resetting idp scim client as part of Identity Service.

* (``oci iam scim-client-credentials reset-idp-scim-client --identity-provider-id``)

* Support for updating user capabilities as part of Identity Service.

* (``oci iam user update-user-capabilities --user-id``)

* Support for listing identity provider groups as part of Identity Service.

* (``oci iam identity-provider-group list``)

Changed
~~~~~~~
* New Attribute ``is-latest-for-major-version`` is included in (``oci db version list``) response

* pyOpenSSL was upgraded to version 17.5.0 and cryptography to version 2.1.4 to address a vulnerability identified on GitHub as CVE-2018-1000808.

Resources

Use this package?

Scan your Python project for dependency vulnerabilities in two minutes

Scan your application

Severity Details

CVSS Base Score

MEDIUM 5.9

CVSS v3 Details

MEDIUM 5.9

Attack Vector (AV): NETWORK
Attack Complexity (AC): HIGH
Privileges Required (PR): NONE
User Interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality Impact (C): NONE
Integrity Impact (I): NONE
Availability Availability (A): HIGH

CVSS v2 Details

MEDIUM 4.3

Access Vector (AV): NETWORK
Access Complexity (AC): MEDIUM
Authentication (Au): NONE
Confidentiality Impact (C): NONE
Integrity Impact (I): NONE
Availability Impact (A): PARTIAL