{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "dateAssigned": "2018-08-19T00:00:00", "datePublic": "2018-04-10T00:00:00", "descriptions": [{"lang": "en", "value": "The Pallets Project flask version Before 0.12.3 contains a CWE-20: Improper Input Validation vulnerability in flask that can result in Large amount of memory usage possibly leading to denial of service. This attack appear to be exploitable via Attacker provides JSON data in incorrect encoding. This vulnerability appears to have been fixed in 0.12.3. NOTE: this may overlap CVE-2019-1010083."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2020-06-09T21:06:29", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://security.netapp.com/advisory/ntap-20190221-0001/"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/pallets/flask/pull/2691"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/pallets/flask/releases/tag/0.12.3"}, {"name": "[debian-lts-announce] 20190820 [SECURITY] [DLA 1892-1] flask security update", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.debian.org/debian-lts-announce/2019/08/msg00025.html"}, {"name": "USN-4378-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU"], "url": "https://usn.ubuntu.com/4378-1/"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "DATE_ASSIGNED": "2018-08-19T17:09:33.130462", "DATE_REQUESTED": "2018-08-15T16:18:15", "ID": "CVE-2018-1000656", "REQUESTER": "secure@veritas.com", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The Pallets Project flask version Before 0.12.3 contains a CWE-20: Improper Input Validation vulnerability in flask that can result in Large amount of memory usage possibly leading to denial of service. This attack appear to be exploitable via Attacker provides JSON data in incorrect encoding. This vulnerability appears to have been fixed in 0.12.3. NOTE: this may overlap CVE-2019-1010083."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://security.netapp.com/advisory/ntap-20190221-0001/", "refsource": "CONFIRM", "url": "https://security.netapp.com/advisory/ntap-20190221-0001/"}, {"name": "https://github.com/pallets/flask/pull/2691", "refsource": "CONFIRM", "url": "https://github.com/pallets/flask/pull/2691"}, {"name": "https://github.com/pallets/flask/releases/tag/0.12.3", "refsource": "CONFIRM", "url": "https://github.com/pallets/flask/releases/tag/0.12.3"}, {"name": "[debian-lts-announce] 20190820 [SECURITY] [DLA 1892-1] flask security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2019/08/msg00025.html"}, {"name": "USN-4378-1", "refsource": "UBUNTU", "url": "https://usn.ubuntu.com/4378-1/"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T12:40:47.801Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://security.netapp.com/advisory/ntap-20190221-0001/"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/pallets/flask/pull/2691"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/pallets/flask/releases/tag/0.12.3"}, {"name": "[debian-lts-announce] 20190820 [SECURITY] [DLA 1892-1] flask security update", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2019/08/msg00025.html"}, {"name": "USN-4378-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU", "x_transferred"], "url": "https://usn.ubuntu.com/4378-1/"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2018-1000656", "datePublished": "2018-08-20T19:00:00", "dateReserved": "2018-08-15T00:00:00", "dateUpdated": "2024-08-05T12:40:47.801Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:palletsprojects:flask:*:*:*:*:*:*:*:*", "matchCriteriaId": "673F0EBE-9B78-49D9-B85F-8DBC01B5B47A", "versionEndExcluding": "0.12.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:netapp:active_iq:*:*:*:*:*:*:*:*", "matchCriteriaId": "8750B659-22D0-472A-8505-1B0C023764B3", "vulnerable": true}, {"criteria": "cpe:2.3:a:netapp:hyper_converged_infrastructure:*:*:*:*:*:*:*:*", "matchCriteriaId": "F26D2581-1244-4C0E-8994-7FAF104C90FF", "vulnerable": true}, {"criteria": "cpe:2.3:a:netapp:ontap_select_deploy_utility:*:*:*:*:*:*:*:*", "matchCriteriaId": "89DDC4B1-1738-4AAC-ABDE-1E91C32890BA", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The Pallets Project flask version Before 0.12.3 contains a CWE-20: Improper Input Validation vulnerability in flask that can result in Large amount of memory usage possibly leading to denial of service. This attack appear to be exploitable via Attacker provides JSON data in incorrect encoding. This vulnerability appears to have been fixed in 0.12.3. NOTE: this may overlap CVE-2019-1010083."}, {"lang": "es", "value": "Flask de The Pallets Project en versiones anteriores a la 0.12.3 contiene una vulnerabilidad CWE-20: Validaci\u00f3n de entradas incorrecta en flask que puede dar lugar al uso de una gran cantidad de memoria, posiblemente conduciendo a una denegaci\u00f3n de servicio (DoS). Este ataque parece ser explotable si el atacante proporciona datos JSON en la codificaci\u00f3n incorrecta. La vulnerabilidad parece haber sido solucionada en la versi\u00f3n 0.12.3.NOTA: esto puede superponerse a CVE-2019-1010083."}], "id": "CVE-2018-1000656", "lastModified": "2024-11-21T03:40:20.450", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2018-08-20T19:31:45.340", "references": [{"source": "cve@mitre.org", "tags": ["Issue Tracking", "Patch", "Third Party Advisory"], "url": "https://github.com/pallets/flask/pull/2691"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://github.com/pallets/flask/releases/tag/0.12.3"}, {"source": "cve@mitre.org", "url": "https://lists.debian.org/debian-lts-announce/2019/08/msg00025.html"}, {"source": "cve@mitre.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20190221-0001/"}, {"source": "cve@mitre.org", "url": "https://usn.ubuntu.com/4378-1/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Patch", "Third Party Advisory"], "url": "https://github.com/pallets/flask/pull/2691"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://github.com/pallets/flask/releases/tag/0.12.3"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.debian.org/debian-lts-announce/2019/08/msg00025.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20190221-0001/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://usn.ubuntu.com/4378-1/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2020:0870", "cpe": "cpe:/a:redhat:rhel_extras_other:7", "package": "python-flask-1:0.10.1-5.el7_7", "product_name": "Red Hat Enterprise Linux 7 Extras", "release_date": "2020-03-17T00:00:00Z"}], "bugzilla": {"description": "python-flask: Denial of Service via crafted JSON file", "id": "1623131", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1623131"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "verified"}, "cwe": "CWE-20", "details": ["The Pallets Project flask version Before 0.12.3 contains a CWE-20: Improper Input Validation vulnerability in flask that can result in Large amount of memory usage possibly leading to denial of service. This attack appear to be exploitable via Attacker provides JSON data in incorrect encoding. This vulnerability appears to have been fixed in 0.12.3. NOTE: this may overlap CVE-2019-1010083."], "name": "CVE-2018-1000656", "package_state": [{"cpe": "cpe:/a:redhat:ceph_storage:2", "fix_state": "Affected", "package_name": "python-flask", "product_name": "Red Hat Ceph Storage 2"}, {"cpe": "cpe:/a:redhat:ceph_storage:3", "fix_state": "Affected", "package_name": "python-flask", "product_name": "Red Hat Ceph Storage 3"}, {"cpe": "cpe:/a:redhat:ceph_storage:7", "fix_state": "Affected", "package_name": "python-flask", "product_name": "Red Hat Ceph Storage 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "python-flask", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Not affected", "package_name": "python-flask", "product_name": "Red Hat Satellite 6"}, {"cpe": "cpe:/a:redhat:storage:3", "fix_state": "Affected", "package_name": "python-flask", "product_name": "Red Hat Storage 3"}, {"cpe": "cpe:/a:redhat:rhui:3", "fix_state": "Will not fix", "package_name": "python-flask", "product_name": "Red Hat Update Infrastructure 3 for Cloud Providers"}], "public_date": "2018-04-10T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2018-1000656\nhttps://nvd.nist.gov/vuln/detail/CVE-2018-1000656"], "statement": "This issue affects the versions of python-flask as shipped with Red Hat Enterprise Linux 7.\nAlthough Red Hat Satellite 6 contains the vulnerable component, the former is not affected due to python-flask only receiving JSON data created by other Red Hat Satellite 6 components, not user-controlled JSON data, which makes the attack unfeasible.", "threat_severity": "Low", "upstream_fix": "python-flask 0.12.3"}