CVE-2018-1000656

python-flask: Denial of Service via crafted JSON file

Severity Score

7.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

The Pallets Project flask version Before 0.12.3 contains a CWE-20: Improper Input Validation vulnerability in flask that can result in Large amount of memory usage possibly leading to denial of service. This attack appear to be exploitable via Attacker provides JSON data in incorrect encoding. This vulnerability appears to have been fixed in 0.12.3. NOTE: this may overlap CVE-2019-1010083.

Flask de The Pallets Project en versiones anteriores a la 0.12.3 contiene una vulnerabilidad CWE-20: Validación de entradas incorrecta en flask que puede dar lugar al uso de una gran cantidad de memoria, posiblemente conduciendo a una denegación de servicio (DoS). Este ataque parece ser explotable si el atacante proporciona datos JSON en la codificación incorrecta. La vulnerabilidad parece haber sido solucionada en la versión 0.12.3.NOTA: esto puede superponerse a CVE-2019-1010083.

*Credits: N/A

CVSS Scores

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

None

Integrity

None

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2018-08-15 CVE Reserved
2018-08-20 CVE Published
2024-06-04 EPSS Updated
2024-08-05 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-20: Improper Input Validation

CAPEC

References (7)

URL	Tag	Source
https://github.com/pallets/flask/releases/tag/0.12.3	Third Party Advisory
https://lists.debian.org/debian-lts-announce/2019/08/msg00025.html	Mailing List

URL	Date	SRC

URL	Date	SRC
https://github.com/pallets/flask/pull/2691	2020-06-09
https://security.netapp.com/advisory/ntap-20190221-0001	2020-06-09

URL	Date	SRC
https://usn.ubuntu.com/4378-1	2020-06-09
https://access.redhat.com/security/cve/CVE-2018-1000656	2020-03-17
https://bugzilla.redhat.com/show_bug.cgi?id=1623131	2020-03-17

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Palletsprojects Search vendor "Palletsprojects"		Flask Search vendor "Palletsprojects" for product "Flask"				< 0.12.3 Search vendor "Palletsprojects" for product "Flask" and version " < 0.12.3"		-		Affected
Netapp Search vendor "Netapp"		Active Iq Search vendor "Netapp" for product "Active Iq"				*		-		Affected
Netapp Search vendor "Netapp"		Hyper Converged Infrastructure Search vendor "Netapp" for product "Hyper Converged Infrastructure"				*		-		Affected
Netapp Search vendor "Netapp"		Ontap Select Deploy Utility Search vendor "Netapp" for product "Ontap Select Deploy Utility"				*		-		Affected