EIQ-2019-0027



ID

EIQ-2019-0027

CVE

CVE-2019-1010083

Description

Pallet Projects Flask could allow denial of service (DoS)

Date

22 Jul 2019

Severity

3 - HIGH

CVSSv3 score

7.5

Status

images/s/-u524h5/8501/61630d2d4f75946459caa0b3dbdac9bd6d7a7de4/_/images/icons/emoticons/check.svg 2.6.0

Assessment

Pallet Projects Flask versions 0.12.4 and earlier are vulnerable to denial of service (DoS) attacks.

Although JSON data should always be encoded in UTF-8 format, Flask would accept other formats as well.
Improper input validation could enable an attacker to send Flask malicious JSON input data in an arbitrary, non-UTF-8 format.

While attempting to decode the payload, Flask would consume the available memory resources, which would result in a denial of service.

To exploit the vulnerability, attackers must have access to the target system, and the system must accept input from untrusted sources.

Mitigation

  • Restrict network access only to trusted users.

  • Restrict network access from untrusted sources.

  • Flask versions 1.0 and later detect and validate the encoding format of the input JSON data.
    Therefore, arbitrary JSON encodings are no longer allowed.

Affected versions

2.5.0 and earlier.

Notes

For more information, see:

< Back to all security issues and mitigation actions


In release notes 2.5.0

In release notes 2.6.0