Vulnerability CVE-2018-1000656


Published: 2018-08-20

Description:
The Pallets Project flask version Before 0.12.3 contains a CWE-20: Improper Input Validation vulnerability in flask that can result in Large amount of memory usage possibly leading to denial of service. This attack appear to be exploitable via Attacker provides JSON data in incorrect encoding. This vulnerability appears to have been fixed in 0.12.3.

Type:

CWE-20

(Improper Input Validation)

Vendor: Palletsprojects
Product: Flask 
Version:
0.9
0.8.1
0.8
0.7.2
0.7.1
0.7
0.6.1
0.6
0.5.2
0.5.1
0.5
0.4
0.3.1
0.3
0.2
0.12.2
0.12.1
0.12
0.11.1
0.11
0.10.1
0.10
Vendor: Netapp
Product: Active iq 
Product: Ontap select deploy utility 
Product: Hyper converged infrastructure 

CVSS2 => (AV:N/AC:L/Au:N/C:N/I:N/A:P)

CVSS Base Score
Impact Subscore
Exploitability Subscore
5/10
2.9/10
10/10
Exploit range
Attack complexity
Authentication
Remote
Low
No required
Confidentiality impact
Integrity impact
Availability impact
None
None
Partial

 References:
https://github.com/pallets/flask/pull/2691
https://github.com/pallets/flask/releases/tag/0.12.3
https://lists.debian.org/debian-lts-announce/2019/08/msg00025.html
https://security.netapp.com/advisory/ntap-20190221-0001/

Related CVE
CVE-2019-5498
OnCommand Insight versions through 7.3.6 may disclose sensitive account information to an authenticated user.
CVE-2019-5502
SMB in Data ONTAP operating in 7-Mode versions prior to 8.2.5P3 has weak cryptography which when exploited could lead to information disclosure or addition or modification of data.
CVE-2019-5501
Data ONTAP operating in 7-Mode versions prior to 8.2.5P3 may disclose sensitive LDAP account information to unauthenticated remote attackers.
CVE-2019-5493
Data ONTAP operating in 7-Mode versions prior to 8.2.5P3 are susceptible to a vulnerability which discloses information to an unauthenticated attacker. A successful attack requires that multiple non-default options be enabled.
CVE-2019-14379
SubTypeValidator.java in FasterXML jackson-databind before 2.9.9.2 mishandles default typing when ehcache is used, leading to remote code execution.
CVE-2019-5497
NetApp AFF A700s Baseboard Management Controller (BMC) firmware versions 1.22 and higher were shipped with a default account enabled that could allow unauthorized arbitrary command execution.
CVE-2019-8936
NTP through 4.2.8p12 has a NULL Pointer Dereference.
CVE-2019-5492
Element Plug-in for vCenter Server versions prior to 4.2.3 may disclose sensitive account information to an unauthenticated attacker. NetApp HCI Compute Node versions prior to 1.4P2 bundle affected versions of Element Plug-in for vCenter Server.

Copyright 2019, cxsecurity.com

 

Back to Top