Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTlwOW0tam04dy05NHAy
Improper Handling of Highly Compressed Data (Data Amplification) and Memory Allocation with Excessive Size Value in eventlet
Impact
A websocket peer may exhaust memory on Eventlet side by sending very large websocket frames. Malicious peer may exhaust memory on Eventlet side by sending highly compressed data frame.
Patches
Version 0.31.0 restricts websocket frame to reasonable limits.
Workarounds
Restricting memory usage via OS limits would help against overall machine exhaustion. No workaround to protect Eventlet process.
For more information
If you have any questions or comments about this advisory:
- Open an issue in eventlet
- Contact current maintainers. At 2021-03: [email protected] or https://t.me/temotor
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTlwOW0tam04dy05NHAy
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: almost 3 years ago
Updated: 8 months ago
CVSS Score: 5.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Identifiers: GHSA-9p9m-jm8w-94p2, CVE-2021-21419
References:
- https://github.com/eventlet/eventlet/security/advisories/GHSA-9p9m-jm8w-94p2
- https://nvd.nist.gov/vuln/detail/CVE-2021-21419
- https://lists.fedoraproject.org/archives/list/[email protected]/message/2WJFSBPLCNSZNHYQC4QDRDFRTEZRMD2L/
- https://lists.fedoraproject.org/archives/list/[email protected]/message/R5JZP4LZOSP7CUAM3GIRW6PIAWKH5VGB/
- https://github.com/eventlet/eventlet/commit/1412f5e4125b4313f815778a1acb4d3336efcd07
- https://github.com/advisories/GHSA-9p9m-jm8w-94p2
Blast Radius: 21.4
Affected Packages
pypi:eventlet
Dependent packages: 194Dependent repositories: 10,833
Downloads: 1,594,269 last month
Affected Version Ranges: >= 0.10, < 0.31.0
Fixed in: 0.31.0
All affected versions: 0.10.0, 0.11.0, 0.12.1, 0.13.0, 0.14.0, 0.15.2, 0.16.1, 0.17.4, 0.18.2, 0.18.3, 0.18.4, 0.19.0, 0.20.0, 0.20.1, 0.21.0, 0.22.0, 0.22.1, 0.23.0, 0.24.0, 0.24.1, 0.25.0, 0.25.1, 0.25.2, 0.26.0, 0.26.1, 0.27.0, 0.28.0, 0.28.1, 0.29.0, 0.29.1, 0.30.0, 0.30.1, 0.30.2, 0.30.3
All unaffected versions: 0.5.3, 0.6.1, 0.8.16, 0.9.17, 0.31.0, 0.31.1, 0.32.0, 0.33.0, 0.33.1, 0.33.2, 0.33.3, 0.34.1, 0.34.2, 0.34.3, 0.35.0, 0.35.1, 0.35.2, 0.36.0, 0.36.1