Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTU2MmMtNXI5NC14aDk3

Flask is vulnerable to Denial of Service via incorrect encoding of JSON data

The Pallets Project flask version Before 0.12.3 contains a CWE-20: Improper Input Validation vulnerability in flask that can result in Large amount of memory usage possibly leading to denial of service. This attack appear to be exploitable via Attacker provides JSON data in incorrect encoding. This vulnerability appears to have been fixed in 0.12.3.

Permalink: https://github.com/advisories/GHSA-562c-5r94-xh97
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTU2MmMtNXI5NC14aDk3
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 5 years ago
Updated: 8 months ago

CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Identifiers: GHSA-562c-5r94-xh97, CVE-2018-1000656
References:

Repository: https://github.com/pallets/flask
Blast Radius: 38.1

Affected Packages

pypi:flask

Dependent packages: 1,970
Dependent repositories: 119,058
Downloads: 102,779,650 last month
Affected Version Ranges: < 0.12.3
Fixed in: 0.12.3
All affected versions: 0.3.1, 0.5.1, 0.5.2, 0.6.1, 0.7.1, 0.7.2, 0.8.1, 0.10.1, 0.11.1, 0.12.1, 0.12.2
All unaffected versions: 0.12.3, 0.12.4, 0.12.5, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.1.4, 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.2.0, 2.2.1, 2.2.2, 2.2.3, 2.2.4, 2.2.5, 2.3.0, 2.3.1, 2.3.2, 2.3.3, 3.0.0, 3.0.1, 3.0.2, 3.0.3