CVE-2018-1000656
Published: 20 August 2018
The Pallets Project flask version Before 0.12.3 contains a CWE-20: Improper Input Validation vulnerability in flask that can result in Large amount of memory usage possibly leading to denial of service. This attack appear to be exploitable via Attacker provides JSON data in incorrect encoding. This vulnerability appears to have been fixed in 0.12.3. NOTE: this may overlap CVE-2019-1010083.
Priority
Status
| Package | Release | Status |
|---|---|---|
|
flask Launchpad, Ubuntu, Debian |
bionic |
Released
(0.12.2-3ubuntu0.1)
|
| cosmic |
Not vulnerable
(1.0.2-1)
|
|
| disco |
Not vulnerable
(1.0.2-1)
|
|
| eoan |
Not vulnerable
(1.0.2-1)
|
|
| focal |
Not vulnerable
(1.0.2-1)
|
|
| trusty |
Released
(0.10.1-2ubuntu0.1~esm1)
Available with Ubuntu Pro or Ubuntu Pro (Infra-only) |
|
| upstream |
Released
(1.0.2-1)
|
|
| xenial |
Released
(0.10.1-2ubuntu0.1)
|
|
|
Patches: upstream: https://github.com/pallets/flask/commit/0e1e9a04aaf29ab78f721cfc79ac2a691f6e3929 upstream: https://github.com/pallets/flask/pull/2691 |
||
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 7.5 |
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | None |
| Integrity impact | None |
| Availability impact | High |
| Vector | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |