EIQ-2019-0003



ID

EIQ-2019-0003

CVE

-

Description

msgpack-python can consume all available system memory

Date

05 Feb 2019

Severity

1 - LOW

CVSSv3 score

CVSSv3 score not available on NIST NVD.

Status

images/s/-u524h5/8501/61630d2d4f75946459caa0b3dbdac9bd6d7a7de4/_/images/icons/emoticons/check.svg 2.3.4

Assessment

msgpack-python is a Python implementation of the MessagePack serializer.

msgpack-python versions earlier than 0.6.0 set a very high object size default limit.
This makes it possible to pass extremely large objects for serialization, which results in the process using all the available system memory.

Mitigation

Update to msgpack-python 0.6.1.

Affected versions

2.3.3

Notes

msgpack-python is a used as a dependency only in EclecticIQ Platform 2.3.3

For more information, see Change default decoder limits.

< Back to all security issues and mitigation actions

In release notes 2.3.3

In release notes 2.3.4