CVE-2021-21419

Improper Handling of Highly Compressed Data (Data Amplification) and Memory Allocation with Excessive Size Value in eventlet

Severity Score

5.3

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Eventlet is a concurrent networking library for Python. A websocket peer may exhaust memory on Eventlet side by sending very large websocket frames. Malicious peer may exhaust memory on Eventlet side by sending highly compressed data frame. A patch in version 0.31.0 restricts websocket frame to reasonable limits. As a workaround, restricting memory usage via OS limits would help against overall machine exhaustion, but there is no workaround to protect Eventlet process.

Eventlet es una biblioteca de redes concurrentes para Python. Un peer de websocket puede agotar la memoria en el lado de Eventlet mediante el envío de tramas de websocket muy grandes. Los peers maliciosos pueden agotar la memoria en el lado de Eventlet mediante el envío de tramas de datos altamente comprimido. Un parche en la versión 0.31.0 restringe la trama de websocket a límites razonables. Como solución alternativa, restringir el uso de la memoria por medio de los límites del sistema operativo ayudaría contra el agotamiento general de la máquina, pero no hay una solución para proteger el proceso de Eventlet

A flaw was found in eventlet. If an unauthenticated user manages to send large websocket frames or highly compressed data frames that can lead to memory exhaustion. An attacker could use this flaw to cause a denial of service (DoS).

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

Low

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

None

Integrity

None

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2020-12-22 CVE Reserved
2021-05-07 CVE Published
2024-01-21 EPSS Updated
2024-08-03 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-400: Uncontrolled Resource Consumption

CAPEC

References (5)

URL	Tag	Source
https://github.com/eventlet/eventlet/security/advisories/GHSA-9p9m-jm8w-94p2	Third Party Advisory

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2WJFSBPLCNSZNHYQC4QDRDFRTEZRMD2L	2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/R5JZP4LZOSP7CUAM3GIRW6PIAWKH5VGB	2023-11-07
https://access.redhat.com/security/cve/CVE-2021-21419	2021-12-09
https://bugzilla.redhat.com/show_bug.cgi?id=1958407	2021-12-09

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Eventlet Search vendor "Eventlet"		Eventlet Search vendor "Eventlet" for product "Eventlet"				>= 0.10 < 0.31.0 Search vendor "Eventlet" for product "Eventlet" and version " >= 0.10 < 0.31.0"		-		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				33 Search vendor "Fedoraproject" for product "Fedora" and version "33"		-		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				34 Search vendor "Fedoraproject" for product "Fedora" and version "34"		-		Affected