EIQ-2019-0027#

ID	EIQ-2019-0027
CVE	CVE-2019-1010083
Description	Pallet Projects Flask could allow denial of service (DoS)
Date	22 Jul 2019
Severity	3 - HIGH
CVSSv3 score	7.5
Status	✅ 2.6.0
Assessment	Pallet Projects Flask versions 0.12.4 and earlier are vulnerable to denial of service (DoS) attacks. Although JSON data should always be encoded in UTF-8 format, Flask would accept other formats as well. Improper input validation could enable an attacker to send Flask malicious JSON input data in an arbitrary, non-UTF-8 format. While attempting to decode the payload, Flask would consume the available memory resources, which would result in a denial of service. To exploit the vulnerability, attackers must have access to the target system, and the system must accept input from untrusted sources.
Mitigation	Restrict network access only to trusted users. Restrict network access from untrusted sources. Flask versions 1.0 and later detect and validate the encoding format of the input JSON data. Therefore, arbitrary JSON encodings are no longer allowed.
Affected versions	2.5.0 and earlier.
Notes	For more information, see: Mitre CVE-2019-1010083 report Snyk CVE-2019-1010083 report CWE-20: Improper Input Validation GitHub PR introducing JSON encoding check and validation Flask 1.0 release announcement