GHSA-9P9M-JM8W-94P2

Vulnerability from github – Published: 2021-05-07 15:50 – Updated: 2024-09-20 17:20
VLAI?
Summary
Improper Handling of Highly Compressed Data (Data Amplification) and Memory Allocation with Excessive Size Value in eventlet
Details

Impact

A websocket peer may exhaust memory on Eventlet side by sending very large websocket frames. Malicious peer may exhaust memory on Eventlet side by sending highly compressed data frame.

Patches

Version 0.31.0 restricts websocket frame to reasonable limits.

Workarounds

Restricting memory usage via OS limits would help against overall machine exhaustion. No workaround to protect Eventlet process.

For more information

If you have any questions or comments about this advisory: * Open an issue in eventlet * Contact current maintainers. At 2021-03: temotor@gmail.com or https://t.me/temotor

Severity ?
5.3 (Medium)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
6.9 (Medium)
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "eventlet"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.10"
            },
            {
              "fixed": "0.31.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-21419"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-05-07T14:31:05Z",
    "nvd_published_at": "2021-05-07T15:15:00Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\nA websocket peer may exhaust memory on Eventlet side by sending very large websocket frames. Malicious peer may exhaust memory on Eventlet side by sending highly compressed data frame.\n\n### Patches\nVersion 0.31.0 restricts websocket frame to reasonable limits.\n\n### Workarounds\nRestricting memory usage via OS limits would help against overall machine exhaustion. No workaround to protect Eventlet process.\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [eventlet](https://github.com/eventlet/eventlet/issues)\n* Contact current maintainers. At 2021-03: temotor@gmail.com or https://t.me/temotor",
  "id": "GHSA-9p9m-jm8w-94p2",
  "modified": "2024-09-20T17:20:53Z",
  "published": "2021-05-07T15:50:36Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/eventlet/eventlet/security/advisories/GHSA-9p9m-jm8w-94p2"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21419"
    },
    {
      "type": "WEB",
      "url": "https://github.com/eventlet/eventlet/commit/1412f5e4125b4313f815778a1acb4d3336efcd07"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/eventlet/eventlet"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/eventlet/PYSEC-2021-12.yaml"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2WJFSBPLCNSZNHYQC4QDRDFRTEZRMD2L"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/R5JZP4LZOSP7CUAM3GIRW6PIAWKH5VGB"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Improper Handling of Highly Compressed Data (Data Amplification) and Memory Allocation with Excessive Size Value in eventlet"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.