CVE-2019-1010083 - OpenCVE

The Pallets Project Flask before 1.0 is affected by: unexpected memory usage. The impact is: denial of service. The attack vector is: crafted encoded JSON data. The fixed version is: 1. NOTE: this may overlap CVE-2018-1000656.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

AV:N/AC:L/Au:N/C:N/I:N/A:P

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Palletsprojects	Flask

Configuration 1 [-]

cpe:2.3:a:palletsprojects:flask:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://nvd.nist.gov/vuln/detail/CVE-2019-1010083
https://palletsprojects.com/blog/flask-1-0-released/
https://snyk.io/vuln/SNYK-PYTHON-FLASK-451637
https://www.cve.org/CVERecord?id=CVE-2019-1010083
https://www.palletsprojects.com/blog/flask-1-0-released/

History

No history.

MITRE

Status: PUBLISHED

Assigner: dwf

Published: 2019-07-17T13:59:09

Updated: 2024-08-05T03:07:18.278Z

Reserved: 2019-03-20T00:00:00

Link: CVE-2019-1010083

Vulnrichment

No data.

NVD

Status : Modified

Published: 2019-07-17T14:15:11.570

Modified: 2020-08-24T17:37:01.140

Link: CVE-2019-1010083

Redhat

Severity : Moderate

Publid Date: 2018-04-26T00:00:00Z

Links: CVE-2019-1010083 - Bugzilla

{"containers": {"cna": {"affected": [{"product": "Flask", "vendor": "The Pallets Project", "versions": [{"status": "affected", "version": "\u2264 1.0 [fixed: 1]"}]}], "descriptions": [{"lang": "en", "value": "The Pallets Project Flask before 1.0 is affected by: unexpected memory usage. The impact is: denial of service. The attack vector is: crafted encoded JSON data. The fixed version is: 1. NOTE: this may overlap CVE-2018-1000656."}], "problemTypes": [{"descriptions": [{"description": "unexpected memory usage", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2019-08-25T15:43:52", "orgId": "7556d962-6fb7-411e-85fa-6cd62f095ba8", "shortName": "dwf"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://www.palletsprojects.com/blog/flask-1-0-released/"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve-assign@distributedweaknessfiling.org", "ID": "CVE-2019-1010083", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Flask", "version": {"version_data": [{"version_value": "\u2264 1.0 [fixed: 1]"}]}}]}, "vendor_name": "The Pallets Project"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The Pallets Project Flask before 1.0 is affected by: unexpected memory usage. The impact is: denial of service. The attack vector is: crafted encoded JSON data. The fixed version is: 1. NOTE: this may overlap CVE-2018-1000656."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "unexpected memory usage"}]}]}, "references": {"reference_data": [{"name": "https://www.palletsprojects.com/blog/flask-1-0-released/", "refsource": "CONFIRM", "url": "https://www.palletsprojects.com/blog/flask-1-0-released/"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T03:07:18.278Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://www.palletsprojects.com/blog/flask-1-0-released/"}]}]}, "cveMetadata": {"assignerOrgId": "7556d962-6fb7-411e-85fa-6cd62f095ba8", "assignerShortName": "dwf", "cveId": "CVE-2019-1010083", "datePublished": "2019-07-17T13:59:09", "dateReserved": "2019-03-20T00:00:00", "dateUpdated": "2024-08-05T03:07:18.278Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:palletsprojects:flask:*:*:*:*:*:*:*:*", "matchCriteriaId": "7AE56142-FD85-4494-9A67-9C74C71E6704", "versionEndExcluding": "1.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The Pallets Project Flask before 1.0 is affected by: unexpected memory usage. The impact is: denial of service. The attack vector is: crafted encoded JSON data. The fixed version is: 1. NOTE: this may overlap CVE-2018-1000656."}, {"lang": "es", "value": "Flask de The Pallets Project en versiones anteriores a la 1.0 se ve afectado por: el uso de memoria inesperado. El impacto es: Denegaci\u00f3n de servicio. El vector de ataque es: datos JSON codificados dise\u00f1ados. La versi\u00f3n corregida es: 1.NOTA: esto puede superponerse a CVE-2018-1000656."}], "id": "CVE-2019-1010083", "lastModified": "2020-08-24T17:37:01.140", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-07-17T14:15:11.570", "references": [{"source": "josh@bress.net", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://www.palletsprojects.com/blog/flask-1-0-released/"}], "sourceIdentifier": "josh@bress.net", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "python-flask: unexpected memory usage can lead to denial of service via crafted encoded JSON data", "id": "1888007", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1888007"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-20", "details": ["The Pallets Project Flask before 1.0 is affected by: unexpected memory usage. The impact is: denial of service. The attack vector is: crafted encoded JSON data. The fixed version is: 1. NOTE: this may overlap CVE-2018-1000656.", "A flaw was found in python-flask. Unexpected memory usage can occur through specially crafted encoded JSON data. The highest threat from this vulnerability is to system availability. Note, this may overlap CVE-2018-1000656."], "name": "CVE-2019-1010083", "package_state": [{"cpe": "cpe:/a:redhat:ceph_storage:2", "fix_state": "Out of support scope", "package_name": "python-flask", "product_name": "Red Hat Ceph Storage 2"}, {"cpe": "cpe:/a:redhat:ceph_storage:3", "fix_state": "Affected", "package_name": "python-flask", "product_name": "Red Hat Ceph Storage 3"}, {"cpe": "cpe:/a:redhat:ceph_storage:7", "fix_state": "Affected", "package_name": "python-flask", "product_name": "Red Hat Ceph Storage 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "python-flask", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "python-flask", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Not affected", "package_name": "python-flask", "product_name": "Red Hat OpenShift Container Platform 4"}, {"cpe": "cpe:/a:redhat:openstack:16", "fix_state": "Not affected", "package_name": "python-flask", "product_name": "Red Hat OpenStack Platform 16 (Train)"}, {"cpe": "cpe:/a:redhat:quay:3", "fix_state": "Not affected", "package_name": "python-flask", "product_name": "Red Hat Quay 3"}, {"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Will not fix", "impact": "low", "package_name": "python-flask", "product_name": "Red Hat Satellite 6"}, {"cpe": "cpe:/a:redhat:storage:3", "fix_state": "Affected", "package_name": "python-flask", "product_name": "Red Hat Storage 3"}, {"cpe": "cpe:/a:redhat:rhui:3", "fix_state": "Will not fix", "impact": "low", "package_name": "python-flask", "product_name": "Red Hat Update Infrastructure 3 for Cloud Providers"}], "public_date": "2018-04-26T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2019-1010083\nhttps://nvd.nist.gov/vuln/detail/CVE-2019-1010083\nhttps://palletsprojects.com/blog/flask-1-0-released/\nhttps://snyk.io/vuln/SNYK-PYTHON-FLASK-451637"], "statement": "Red Hat Satellite 6.5 ships an affected version of python-flask. However, the product is not vulnerable since the data component Crane receives from pulp_docker repository metadata with JSON uses UTF-8 encoding by default. Other supported versions of the Satellite are not affected by this vulnerability.\nNote: CVE-2019-1010083 is a duplicate of the flaw in CVE-2018-1000656. However, the 2019 flaw identifies newer affected products.", "threat_severity": "Moderate", "upstream_fix": "python-flask 0.12.3, python-flask 1.0"}