CVE-2018-1000656 - OpenCVE

The Pallets Project flask version Before 0.12.3 contains a CWE-20: Improper Input Validation vulnerability in flask that can result in Large amount of memory usage possibly leading to denial of service. This attack appear to be exploitable via Attacker provides JSON data in incorrect encoding. This vulnerability appears to have been fixed in 0.12.3. NOTE: this may overlap CVE-2019-1010083.

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

AV:N/AC:L/Au:N/C:N/I:N/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Netapp	Hyper Converged Infrastructure Ontap Select Deploy Utility Active Iq
Palletsprojects	Flask

Configuration 1 [-]

cpe:2.3:a:palletsprojects:flask:*:*:*:*:*:*:*:*

Configuration 2 [-]

OR	cpe:2.3:a:netapp:active_iq::::::::
	cpe:2.3:a:netapp:hyper_converged_infrastructure::::::::
	cpe:2.3:a:netapp:ontap_select_deploy_utility::::::::

References

Link	Resource
https://github.com/pallets/flask/pull/2691	Issue Tracking Patch Third Party Advisory
https://github.com/pallets/flask/releases/tag/0.12.3	Third Party Advisory
https://lists.debian.org/debian-lts-announce/2019/08/msg00025.html
https://security.netapp.com/advisory/ntap-20190221-0001/	Patch Third Party Advisory
https://usn.ubuntu.com/4378-1/

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2018-08-20T19:00:00

Updated: 2020-06-09T21:06:29

Reserved: 2018-08-15T00:00:00

Link: CVE-2018-1000656

JSON object: View

NVD Information

Status : Modified

Published: 2018-08-20T19:31:45.340

Modified: 2020-06-09T22:15:10.943

Link: CVE-2018-1000656

JSON object: View

Redhat Information

No data.

CWE

CWE-20

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "dateAssigned": "2018-08-19T00:00:00", "datePublic": "2018-04-10T00:00:00", "descriptions": [{"lang": "en", "value": "The Pallets Project flask version Before 0.12.3 contains a CWE-20: Improper Input Validation vulnerability in flask that can result in Large amount of memory usage possibly leading to denial of service. This attack appear to be exploitable via Attacker provides JSON data in incorrect encoding. This vulnerability appears to have been fixed in 0.12.3. NOTE: this may overlap CVE-2019-1010083."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2020-06-09T21:06:29", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://security.netapp.com/advisory/ntap-20190221-0001/"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/pallets/flask/pull/2691"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/pallets/flask/releases/tag/0.12.3"}, {"name": "[debian-lts-announce] 20190820 [SECURITY] [DLA 1892-1] flask security update", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.debian.org/debian-lts-announce/2019/08/msg00025.html"}, {"name": "USN-4378-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU"], "url": "https://usn.ubuntu.com/4378-1/"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "DATE_ASSIGNED": "2018-08-19T17:09:33.130462", "DATE_REQUESTED": "2018-08-15T16:18:15", "ID": "CVE-2018-1000656", "REQUESTER": "secure@veritas.com", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The Pallets Project flask version Before 0.12.3 contains a CWE-20: Improper Input Validation vulnerability in flask that can result in Large amount of memory usage possibly leading to denial of service. This attack appear to be exploitable via Attacker provides JSON data in incorrect encoding. This vulnerability appears to have been fixed in 0.12.3. NOTE: this may overlap CVE-2019-1010083."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://security.netapp.com/advisory/ntap-20190221-0001/", "refsource": "CONFIRM", "url": "https://security.netapp.com/advisory/ntap-20190221-0001/"}, {"name": "https://github.com/pallets/flask/pull/2691", "refsource": "CONFIRM", "url": "https://github.com/pallets/flask/pull/2691"}, {"name": "https://github.com/pallets/flask/releases/tag/0.12.3", "refsource": "CONFIRM", "url": "https://github.com/pallets/flask/releases/tag/0.12.3"}, {"name": "[debian-lts-announce] 20190820 [SECURITY] [DLA 1892-1] flask security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2019/08/msg00025.html"}, {"name": "USN-4378-1", "refsource": "UBUNTU", "url": "https://usn.ubuntu.com/4378-1/"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2018-1000656", "datePublished": "2018-08-20T19:00:00", "dateReserved": "2018-08-15T00:00:00", "dateUpdated": "2020-06-09T21:06:29", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:palletsprojects:flask:*:*:*:*:*:*:*:*", "matchCriteriaId": "673F0EBE-9B78-49D9-B85F-8DBC01B5B47A", "versionEndExcluding": "0.12.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:netapp:active_iq:*:*:*:*:*:*:*:*", "matchCriteriaId": "8750B659-22D0-472A-8505-1B0C023764B3", "vulnerable": true}, {"criteria": "cpe:2.3:a:netapp:hyper_converged_infrastructure:*:*:*:*:*:*:*:*", "matchCriteriaId": "F26D2581-1244-4C0E-8994-7FAF104C90FF", "vulnerable": true}, {"criteria": "cpe:2.3:a:netapp:ontap_select_deploy_utility:*:*:*:*:*:*:*:*", "matchCriteriaId": "89DDC4B1-1738-4AAC-ABDE-1E91C32890BA", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The Pallets Project flask version Before 0.12.3 contains a CWE-20: Improper Input Validation vulnerability in flask that can result in Large amount of memory usage possibly leading to denial of service. This attack appear to be exploitable via Attacker provides JSON data in incorrect encoding. This vulnerability appears to have been fixed in 0.12.3. NOTE: this may overlap CVE-2019-1010083."}, {"lang": "es", "value": "Flask de The Pallets Project en versiones anteriores a la 0.12.3 contiene una vulnerabilidad CWE-20: Validaci\u00f3n de entradas incorrecta en flask que puede dar lugar al uso de una gran cantidad de memoria, posiblemente conduciendo a una denegaci\u00f3n de servicio (DoS). Este ataque parece ser explotable si el atacante proporciona datos JSON en la codificaci\u00f3n incorrecta. La vulnerabilidad parece haber sido solucionada en la versi\u00f3n 0.12.3.NOTA: esto puede superponerse a CVE-2019-1010083."}], "id": "CVE-2018-1000656", "lastModified": "2020-06-09T22:15:10.943", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2018-08-20T19:31:45.340", "references": [{"source": "cve@mitre.org", "tags": ["Issue Tracking", "Patch", "Third Party Advisory"], "url": "https://github.com/pallets/flask/pull/2691"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://github.com/pallets/flask/releases/tag/0.12.3"}, {"source": "cve@mitre.org", "url": "https://lists.debian.org/debian-lts-announce/2019/08/msg00025.html"}, {"source": "cve@mitre.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20190221-0001/"}, {"source": "cve@mitre.org", "url": "https://usn.ubuntu.com/4378-1/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "nvd@nist.gov", "type": "Primary"}]}