// For flags

CVE-2018-1000656

python-flask: Denial of Service via crafted JSON file

Severity Score

7.5
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

The Pallets Project flask version Before 0.12.3 contains a CWE-20: Improper Input Validation vulnerability in flask that can result in Large amount of memory usage possibly leading to denial of service. This attack appear to be exploitable via Attacker provides JSON data in incorrect encoding. This vulnerability appears to have been fixed in 0.12.3. NOTE: this may overlap CVE-2019-1010083.

Flask de The Pallets Project en versiones anteriores a la 0.12.3 contiene una vulnerabilidad CWE-20: Validación de entradas incorrecta en flask que puede dar lugar al uso de una gran cantidad de memoria, posiblemente conduciendo a una denegación de servicio (DoS). Este ataque parece ser explotable si el atacante proporciona datos JSON en la codificación incorrecta. La vulnerabilidad parece haber sido solucionada en la versión 0.12.3.NOTA: esto puede superponerse a CVE-2019-1010083.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High
Attack Vector
Network
Attack Complexity
Low
Authentication
None
Confidentiality
None
Integrity
None
Availability
Partial
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2018-08-15 CVE Reserved
  • 2018-08-20 CVE Published
  • 2024-06-04 EPSS Updated
  • 2024-08-05 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-20: Improper Input Validation
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Palletsprojects
Search vendor "Palletsprojects"
Flask
Search vendor "Palletsprojects" for product "Flask"
< 0.12.3
Search vendor "Palletsprojects" for product "Flask" and version " < 0.12.3"
-
Affected
Netapp
Search vendor "Netapp"
Active Iq
Search vendor "Netapp" for product "Active Iq"
*-
Affected
Netapp
Search vendor "Netapp"
Hyper Converged Infrastructure
Search vendor "Netapp" for product "Hyper Converged Infrastructure"
*-
Affected
Netapp
Search vendor "Netapp"
Ontap Select Deploy Utility
Search vendor "Netapp" for product "Ontap Select Deploy Utility"
*-
Affected