CVE-2018-1000656

NameCVE-2018-1000656
DescriptionThe Pallets Project flask version Before 0.12.3 contains a CWE-20: Improper Input Validation vulnerability in flask that can result in Large amount of memory usage possibly leading to denial of service. This attack appear to be exploitable via Attacker provides JSON data in incorrect encoding. This vulnerability appears to have been fixed in 0.12.3. NOTE: this may overlap CVE-2019-1010083.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-1892-1
NVD severitymedium

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
flask (PTS)stretch0.12.1-1vulnerable
buster1.0.2-3fixed
bullseye, sid1.1.2-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
flasksourcejessie0.10.1-2+deb8u1DLA-1892-1
flasksource(unstable)1.0.2-1

Notes

[stretch] - flask <no-dsa> (Minor issue)
https://github.com/pallets/flask/pull/2691

Search for package or bug name: Reporting problems