CVE-2018-1000656

NameCVE-2018-1000656
DescriptionThe Pallets Project flask version Before 0.12.3 contains a CWE-20: Improper Input Validation vulnerability in flask that can result in Large amount of memory usage possibly leading to denial of service. This attack appear to be exploitable via Attacker provides JSON data in incorrect encoding. This vulnerability appears to have been fixed in 0.12.3.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitymedium (attack range: remote)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
flask (PTS)jessie0.10.1-2vulnerable
stretch0.12.1-1vulnerable
buster, sid1.0.2-3fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
flasksource(unstable)1.0.2-1medium

Notes

[stretch] - flask <no-dsa> (Minor issue)
[jessie] - flask <no-dsa> (Minor issue)
https://github.com/pallets/flask/pull/2691

Search for package or bug name: Reporting problems