cvelistv5 - cve-2018-1000656

CVE-2018-1000656 (GCVE-0-2018-1000656)

Vulnerability from cvelistv5 – Published: 2018-08-20 19:00 – Updated: 2024-08-05 12:40

Summary

The Pallets Project flask version Before 0.12.3 contains a CWE-20: Improper Input Validation vulnerability in flask that can result in Large amount of memory usage possibly leading to denial of service. This attack appear to be exploitable via Attacker provides JSON data in incorrect encoding. This vulnerability appears to have been fixed in 0.12.3. NOTE: this may overlap CVE-2019-1010083.

Severity ?

No CVSS data available.

CWE

Assigner

mitre

References

URL

Tags

	https://security.netapp.com/advisory/ntap-2019022…	x_refsource_CONFIRM
	https://github.com/pallets/flask/pull/2691	x_refsource_CONFIRM
	https://github.com/pallets/flask/releases/tag/0.12.3	x_refsource_CONFIRM
	https://lists.debian.org/debian-lts-announce/2019…	mailing-listx_refsource_MLIST
	https://usn.ubuntu.com/4378-1/	vendor-advisoryx_refsource_UBUNTU

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T12:40:47.801Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20190221-0001/"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/pallets/flask/pull/2691"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/pallets/flask/releases/tag/0.12.3"
          },
          {
            "name": "[debian-lts-announce] 20190820 [SECURITY] [DLA 1892-1] flask security update",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2019/08/msg00025.html"
          },
          {
            "name": "USN-4378-1",
            "tags": [
              "vendor-advisory",
              "x_refsource_UBUNTU",
              "x_transferred"
            ],
            "url": "https://usn.ubuntu.com/4378-1/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "dateAssigned": "2018-08-19T00:00:00",
      "datePublic": "2018-04-10T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "The Pallets Project flask version Before 0.12.3 contains a CWE-20: Improper Input Validation vulnerability in flask that can result in Large amount of memory usage possibly leading to denial of service. This attack appear to be exploitable via Attacker provides JSON data in incorrect encoding. This vulnerability appears to have been fixed in 0.12.3. NOTE: this may overlap CVE-2019-1010083."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2020-06-09T21:06:29",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://security.netapp.com/advisory/ntap-20190221-0001/"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/pallets/flask/pull/2691"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/pallets/flask/releases/tag/0.12.3"
        },
        {
          "name": "[debian-lts-announce] 20190820 [SECURITY] [DLA 1892-1] flask security update",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2019/08/msg00025.html"
        },
        {
          "name": "USN-4378-1",
          "tags": [
            "vendor-advisory",
            "x_refsource_UBUNTU"
          ],
          "url": "https://usn.ubuntu.com/4378-1/"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "DATE_ASSIGNED": "2018-08-19T17:09:33.130462",
          "DATE_REQUESTED": "2018-08-15T16:18:15",
          "ID": "CVE-2018-1000656",
          "REQUESTER": "secure@veritas.com",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "The Pallets Project flask version Before 0.12.3 contains a CWE-20: Improper Input Validation vulnerability in flask that can result in Large amount of memory usage possibly leading to denial of service. This attack appear to be exploitable via Attacker provides JSON data in incorrect encoding. This vulnerability appears to have been fixed in 0.12.3. NOTE: this may overlap CVE-2019-1010083."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://security.netapp.com/advisory/ntap-20190221-0001/",
              "refsource": "CONFIRM",
              "url": "https://security.netapp.com/advisory/ntap-20190221-0001/"
            },
            {
              "name": "https://github.com/pallets/flask/pull/2691",
              "refsource": "CONFIRM",
              "url": "https://github.com/pallets/flask/pull/2691"
            },
            {
              "name": "https://github.com/pallets/flask/releases/tag/0.12.3",
              "refsource": "CONFIRM",
              "url": "https://github.com/pallets/flask/releases/tag/0.12.3"
            },
            {
              "name": "[debian-lts-announce] 20190820 [SECURITY] [DLA 1892-1] flask security update",
              "refsource": "MLIST",
              "url": "https://lists.debian.org/debian-lts-announce/2019/08/msg00025.html"
            },
            {
              "name": "USN-4378-1",
              "refsource": "UBUNTU",
              "url": "https://usn.ubuntu.com/4378-1/"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2018-1000656",
    "datePublished": "2018-08-20T19:00:00",
    "dateReserved": "2018-08-15T00:00:00",
    "dateUpdated": "2024-08-05T12:40:47.801Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:palletsprojects:flask:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"0.12.3\", \"matchCriteriaId\": \"673F0EBE-9B78-49D9-B85F-8DBC01B5B47A\"}]}]}, {\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:netapp:active_iq:*:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"8750B659-22D0-472A-8505-1B0C023764B3\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:netapp:hyper_converged_infrastructure:*:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"F26D2581-1244-4C0E-8994-7FAF104C90FF\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:netapp:ontap_select_deploy_utility:*:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"89DDC4B1-1738-4AAC-ABDE-1E91C32890BA\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"The Pallets Project flask version Before 0.12.3 contains a CWE-20: Improper Input Validation vulnerability in flask that can result in Large amount of memory usage possibly leading to denial of service. This attack appear to be exploitable via Attacker provides JSON data in incorrect encoding. This vulnerability appears to have been fixed in 0.12.3. NOTE: this may overlap CVE-2019-1010083.\"}, {\"lang\": \"es\", \"value\": \"Flask de The Pallets Project en versiones anteriores a la 0.12.3 contiene una vulnerabilidad CWE-20: Validaci\\u00f3n de entradas incorrecta en flask que puede dar lugar al uso de una gran cantidad de memoria, posiblemente conduciendo a una denegaci\\u00f3n de servicio (DoS). Este ataque parece ser explotable si el atacante proporciona datos JSON en la codificaci\\u00f3n incorrecta. La vulnerabilidad parece haber sido solucionada en la versi\\u00f3n 0.12.3.NOTA: esto puede superponerse a CVE-2019-1010083.\"}]",
      "id": "CVE-2018-1000656",
      "lastModified": "2024-11-21T03:40:20.450",
      "metrics": "{\"cvssMetricV30\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.0\", \"vectorString\": \"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\", \"baseScore\": 7.5, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 3.6}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:L/Au:N/C:N/I:N/A:P\", \"baseScore\": 5.0, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"LOW\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"PARTIAL\"}, \"baseSeverity\": \"MEDIUM\", \"exploitabilityScore\": 10.0, \"impactScore\": 2.9, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
      "published": "2018-08-20T19:31:45.340",
      "references": "[{\"url\": \"https://github.com/pallets/flask/pull/2691\", \"source\": \"cve@mitre.org\", \"tags\": [\"Issue Tracking\", \"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/pallets/flask/releases/tag/0.12.3\", \"source\": \"cve@mitre.org\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://lists.debian.org/debian-lts-announce/2019/08/msg00025.html\", \"source\": \"cve@mitre.org\"}, {\"url\": \"https://security.netapp.com/advisory/ntap-20190221-0001/\", \"source\": \"cve@mitre.org\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://usn.ubuntu.com/4378-1/\", \"source\": \"cve@mitre.org\"}, {\"url\": \"https://github.com/pallets/flask/pull/2691\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Issue Tracking\", \"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/pallets/flask/releases/tag/0.12.3\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://lists.debian.org/debian-lts-announce/2019/08/msg00025.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://security.netapp.com/advisory/ntap-20190221-0001/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://usn.ubuntu.com/4378-1/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}]",
      "sourceIdentifier": "cve@mitre.org",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-20\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2018-1000656\",\"sourceIdentifier\":\"cve@mitre.org\",\"published\":\"2018-08-20T19:31:45.340\",\"lastModified\":\"2024-11-21T03:40:20.450\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"The Pallets Project flask version Before 0.12.3 contains a CWE-20: Improper Input Validation vulnerability in flask that can result in Large amount of memory usage possibly leading to denial of service. This attack appear to be exploitable via Attacker provides JSON data in incorrect encoding. This vulnerability appears to have been fixed in 0.12.3. NOTE: this may overlap CVE-2019-1010083.\"},{\"lang\":\"es\",\"value\":\"Flask de The Pallets Project en versiones anteriores a la 0.12.3 contiene una vulnerabilidad CWE-20: Validaci\u00f3n de entradas incorrecta en flask que puede dar lugar al uso de una gran cantidad de memoria, posiblemente conduciendo a una denegaci\u00f3n de servicio (DoS). Este ataque parece ser explotable si el atacante proporciona datos JSON en la codificaci\u00f3n incorrecta. La vulnerabilidad parece haber sido solucionada en la versi\u00f3n 0.12.3.NOTA: esto puede superponerse a CVE-2019-1010083.\"}],\"metrics\":{\"cvssMetricV30\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.0\",\"vectorString\":\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:N/I:N/A:P\",\"baseScore\":5.0,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":10.0,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-20\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:palletsprojects:flask:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"0.12.3\",\"matchCriteriaId\":\"673F0EBE-9B78-49D9-B85F-8DBC01B5B47A\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:netapp:active_iq:*:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"8750B659-22D0-472A-8505-1B0C023764B3\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:netapp:hyper_converged_infrastructure:*:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"F26D2581-1244-4C0E-8994-7FAF104C90FF\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:netapp:ontap_select_deploy_utility:*:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"89DDC4B1-1738-4AAC-ABDE-1E91C32890BA\"}]}]}],\"references\":[{\"url\":\"https://github.com/pallets/flask/pull/2691\",\"source\":\"cve@mitre.org\",\"tags\":[\"Issue Tracking\",\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/pallets/flask/releases/tag/0.12.3\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://lists.debian.org/debian-lts-announce/2019/08/msg00025.html\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://security.netapp.com/advisory/ntap-20190221-0001/\",\"source\":\"cve@mitre.org\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://usn.ubuntu.com/4378-1/\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://github.com/pallets/flask/pull/2691\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Issue Tracking\",\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/pallets/flask/releases/tag/0.12.3\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://lists.debian.org/debian-lts-announce/2019/08/msg00025.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://security.netapp.com/advisory/ntap-20190221-0001/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://usn.ubuntu.com/4378-1/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}"
  }
}

SUSE-SU-2019:0657-1

Vulnerability from csaf_suse - Published: 2019-03-20 11:49 - Updated: 2019-03-20 11:49

Summary

Security update for python-Flask

Notes

Title of the patch

Security update for python-Flask

Description of the patch

This update for python-Flask to version 0.12.4 fixes the following issues: Security issue fixed: - CVE-2018-1000656: Fixed an improper input validation vulnerability in flask that can result in Large amount of memory usage possibly leading to denial of service. (bsc#1106279)

Patchnames

SUSE-2019-657,SUSE-SLE-Module-Basesystem-15-2019-657,SUSE-SLE-Module-Development-Tools-OBS-15-2019-657,SUSE-SLE-Module-Packagehub-Subpackages-15-2019-657

CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "low"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Security update for python-Flask",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "This update for python-Flask to version 0.12.4 fixes the following issues:\n\nSecurity issue fixed:\n\n- CVE-2018-1000656: Fixed an improper input validation vulnerability in flask\n  that can result in Large amount of memory usage possibly leading to denial of\n  service. (bsc#1106279)\n",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "SUSE-2019-657,SUSE-SLE-Module-Basesystem-15-2019-657,SUSE-SLE-Module-Development-Tools-OBS-15-2019-657,SUSE-SLE-Module-Packagehub-Subpackages-15-2019-657",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2019_0657-1.json"
      },
      {
        "category": "self",
        "summary": "URL for SUSE-SU-2019:0657-1",
        "url": "https://www.suse.com/support/update/announcement/2019/suse-su-20190657-1/"
      },
      {
        "category": "self",
        "summary": "E-Mail link for SUSE-SU-2019:0657-1",
        "url": "https://www.suse.com/support/update/announcement/2019/suse-su-20190657-1.html"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1106279",
        "url": "https://bugzilla.suse.com/1106279"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2018-1000656 page",
        "url": "https://www.suse.com/security/cve/CVE-2018-1000656/"
      }
    ],
    "title": "Security update for python-Flask",
    "tracking": {
      "current_release_date": "2019-03-20T11:49:45Z",
      "generator": {
        "date": "2019-03-20T11:49:45Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "SUSE-SU-2019:0657-1",
      "initial_release_date": "2019-03-20T11:49:45Z",
      "revision_history": [
        {
          "date": "2019-03-20T11:49:45Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "python2-Flask-0.12.4-3.3.26.noarch",
                "product": {
                  "name": "python2-Flask-0.12.4-3.3.26.noarch",
                  "product_id": "python2-Flask-0.12.4-3.3.26.noarch"
                }
              },
              {
                "category": "product_version",
                "name": "python2-Flask-doc-0.12.4-3.3.26.noarch",
                "product": {
                  "name": "python2-Flask-doc-0.12.4-3.3.26.noarch",
                  "product_id": "python2-Flask-doc-0.12.4-3.3.26.noarch"
                }
              },
              {
                "category": "product_version",
                "name": "python3-Flask-0.12.4-3.3.26.noarch",
                "product": {
                  "name": "python3-Flask-0.12.4-3.3.26.noarch",
                  "product_id": "python3-Flask-0.12.4-3.3.26.noarch"
                }
              },
              {
                "category": "product_version",
                "name": "python3-Flask-doc-0.12.4-3.3.26.noarch",
                "product": {
                  "name": "python3-Flask-doc-0.12.4-3.3.26.noarch",
                  "product_id": "python3-Flask-doc-0.12.4-3.3.26.noarch"
                }
              }
            ],
            "category": "architecture",
            "name": "noarch"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "SUSE Linux Enterprise Module for Basesystem 15",
                "product": {
                  "name": "SUSE Linux Enterprise Module for Basesystem 15",
                  "product_id": "SUSE Linux Enterprise Module for Basesystem 15",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:sle-module-basesystem:15"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "SUSE Linux Enterprise Module for Package Hub 15",
                "product": {
                  "name": "SUSE Linux Enterprise Module for Package Hub 15",
                  "product_id": "SUSE Linux Enterprise Module for Package Hub 15",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:packagehub:15"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python3-Flask-0.12.4-3.3.26.noarch as component of SUSE Linux Enterprise Module for Basesystem 15",
          "product_id": "SUSE Linux Enterprise Module for Basesystem 15:python3-Flask-0.12.4-3.3.26.noarch"
        },
        "product_reference": "python3-Flask-0.12.4-3.3.26.noarch",
        "relates_to_product_reference": "SUSE Linux Enterprise Module for Basesystem 15"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python2-Flask-0.12.4-3.3.26.noarch as component of SUSE Linux Enterprise Module for Package Hub 15",
          "product_id": "SUSE Linux Enterprise Module for Package Hub 15:python2-Flask-0.12.4-3.3.26.noarch"
        },
        "product_reference": "python2-Flask-0.12.4-3.3.26.noarch",
        "relates_to_product_reference": "SUSE Linux Enterprise Module for Package Hub 15"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2018-1000656",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2018-1000656"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "The Pallets Project flask version Before 0.12.3 contains a CWE-20: Improper Input Validation vulnerability in flask that can result in Large amount of memory usage possibly leading to denial of service. This attack appear to be exploitable via Attacker provides JSON data in incorrect encoding. This vulnerability appears to have been fixed in 0.12.3. NOTE: this may overlap CVE-2019-1010083.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Enterprise Module for Basesystem 15:python3-Flask-0.12.4-3.3.26.noarch",
          "SUSE Linux Enterprise Module for Package Hub 15:python2-Flask-0.12.4-3.3.26.noarch"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2018-1000656",
          "url": "https://www.suse.com/security/cve/CVE-2018-1000656"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1106279 for CVE-2018-1000656",
          "url": "https://bugzilla.suse.com/1106279"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Enterprise Module for Basesystem 15:python3-Flask-0.12.4-3.3.26.noarch",
            "SUSE Linux Enterprise Module for Package Hub 15:python2-Flask-0.12.4-3.3.26.noarch"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 3.3,
            "baseSeverity": "LOW",
            "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
            "version": "3.0"
          },
          "products": [
            "SUSE Linux Enterprise Module for Basesystem 15:python3-Flask-0.12.4-3.3.26.noarch",
            "SUSE Linux Enterprise Module for Package Hub 15:python2-Flask-0.12.4-3.3.26.noarch"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2019-03-20T11:49:45Z",
          "details": "low"
        }
      ],
      "title": "CVE-2018-1000656"
    }
  ]
}

FKIE_CVE-2018-1000656

Vulnerability from fkie_nvd - Published: 2018-08-20 19:31 - Updated: 2024-11-21 03:40

Severity ?

7.5 (High) - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Summary

References

URL	Tags
cve@mitre.org	https://github.com/pallets/flask/pull/2691	Issue Tracking, Patch, Third Party Advisory
cve@mitre.org	https://github.com/pallets/flask/releases/tag/0.12.3	Third Party Advisory
cve@mitre.org	https://lists.debian.org/debian-lts-announce/2019/08/msg00025.html
cve@mitre.org	https://security.netapp.com/advisory/ntap-20190221-0001/	Patch, Third Party Advisory
cve@mitre.org	https://usn.ubuntu.com/4378-1/
af854a3a-2127-422b-91ae-364da2661108	https://github.com/pallets/flask/pull/2691	Issue Tracking, Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/pallets/flask/releases/tag/0.12.3	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://lists.debian.org/debian-lts-announce/2019/08/msg00025.html
af854a3a-2127-422b-91ae-364da2661108	https://security.netapp.com/advisory/ntap-20190221-0001/	Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://usn.ubuntu.com/4378-1/

Impacted products

Vendor	Product	Version
palletsprojects	flask	*
netapp	active_iq	*
netapp	hyper_converged_infrastructure	*
netapp	ontap_select_deploy_utility	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:palletsprojects:flask:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "673F0EBE-9B78-49D9-B85F-8DBC01B5B47A",
              "versionEndExcluding": "0.12.3",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:netapp:active_iq:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "8750B659-22D0-472A-8505-1B0C023764B3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:netapp:hyper_converged_infrastructure:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "F26D2581-1244-4C0E-8994-7FAF104C90FF",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:netapp:ontap_select_deploy_utility:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "89DDC4B1-1738-4AAC-ABDE-1E91C32890BA",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "The Pallets Project flask version Before 0.12.3 contains a CWE-20: Improper Input Validation vulnerability in flask that can result in Large amount of memory usage possibly leading to denial of service. This attack appear to be exploitable via Attacker provides JSON data in incorrect encoding. This vulnerability appears to have been fixed in 0.12.3. NOTE: this may overlap CVE-2019-1010083."
    },
    {
      "lang": "es",
      "value": "Flask de The Pallets Project en versiones anteriores a la 0.12.3 contiene una vulnerabilidad CWE-20: Validaci\u00f3n de entradas incorrecta en flask que puede dar lugar al uso de una gran cantidad de memoria, posiblemente conduciendo a una denegaci\u00f3n de servicio (DoS). Este ataque parece ser explotable si el atacante proporciona datos JSON en la codificaci\u00f3n incorrecta. La vulnerabilidad parece haber sido solucionada en la versi\u00f3n 0.12.3.NOTA: esto puede superponerse a CVE-2019-1010083."
    }
  ],
  "id": "CVE-2018-1000656",
  "lastModified": "2024-11-21T03:40:20.450",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "PARTIAL",
          "baseScore": 5.0,
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
          "version": "2.0"
        },
        "exploitabilityScore": 10.0,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV30": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.0"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2018-08-20T19:31:45.340",
  "references": [
    {
      "source": "cve@mitre.org",
      "tags": [
        "Issue Tracking",
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/pallets/flask/pull/2691"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://github.com/pallets/flask/releases/tag/0.12.3"
    },
    {
      "source": "cve@mitre.org",
      "url": "https://lists.debian.org/debian-lts-announce/2019/08/msg00025.html"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://security.netapp.com/advisory/ntap-20190221-0001/"
    },
    {
      "source": "cve@mitre.org",
      "url": "https://usn.ubuntu.com/4378-1/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Issue Tracking",
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/pallets/flask/pull/2691"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://github.com/pallets/flask/releases/tag/0.12.3"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.debian.org/debian-lts-announce/2019/08/msg00025.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://security.netapp.com/advisory/ntap-20190221-0001/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://usn.ubuntu.com/4378-1/"
    }
  ],
  "sourceIdentifier": "cve@mitre.org",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-20"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

GSD-2018-1000656

Vulnerability from gsd - Updated: 2023-12-13 01:22

Details

Aliases

CVE-2018-1000656

Aliases

CVE-2018-1000656

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2018-1000656",
    "description": "The Pallets Project flask version Before 0.12.3 contains a CWE-20: Improper Input Validation vulnerability in flask that can result in Large amount of memory usage possibly leading to denial of service. This attack appear to be exploitable via Attacker provides JSON data in incorrect encoding. This vulnerability appears to have been fixed in 0.12.3. NOTE: this may overlap CVE-2019-1010083.",
    "id": "GSD-2018-1000656",
    "references": [
      "https://www.suse.com/security/cve/CVE-2018-1000656.html",
      "https://access.redhat.com/errata/RHSA-2020:0870",
      "https://ubuntu.com/security/CVE-2018-1000656"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2018-1000656"
      ],
      "details": "The Pallets Project flask version Before 0.12.3 contains a CWE-20: Improper Input Validation vulnerability in flask that can result in Large amount of memory usage possibly leading to denial of service. This attack appear to be exploitable via Attacker provides JSON data in incorrect encoding. This vulnerability appears to have been fixed in 0.12.3. NOTE: this may overlap CVE-2019-1010083.",
      "id": "GSD-2018-1000656",
      "modified": "2023-12-13T01:22:27.709802Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "cve@mitre.org",
        "DATE_ASSIGNED": "2018-08-19T17:09:33.130462",
        "DATE_REQUESTED": "2018-08-15T16:18:15",
        "ID": "CVE-2018-1000656",
        "REQUESTER": "secure@veritas.com",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "n/a",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "n/a"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "n/a"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "The Pallets Project flask version Before 0.12.3 contains a CWE-20: Improper Input Validation vulnerability in flask that can result in Large amount of memory usage possibly leading to denial of service. This attack appear to be exploitable via Attacker provides JSON data in incorrect encoding. This vulnerability appears to have been fixed in 0.12.3. NOTE: this may overlap CVE-2019-1010083."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "n/a"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://security.netapp.com/advisory/ntap-20190221-0001/",
            "refsource": "CONFIRM",
            "url": "https://security.netapp.com/advisory/ntap-20190221-0001/"
          },
          {
            "name": "https://github.com/pallets/flask/pull/2691",
            "refsource": "CONFIRM",
            "url": "https://github.com/pallets/flask/pull/2691"
          },
          {
            "name": "https://github.com/pallets/flask/releases/tag/0.12.3",
            "refsource": "CONFIRM",
            "url": "https://github.com/pallets/flask/releases/tag/0.12.3"
          },
          {
            "name": "[debian-lts-announce] 20190820 [SECURITY] [DLA 1892-1] flask security update",
            "refsource": "MLIST",
            "url": "https://lists.debian.org/debian-lts-announce/2019/08/msg00025.html"
          },
          {
            "name": "USN-4378-1",
            "refsource": "UBUNTU",
            "url": "https://usn.ubuntu.com/4378-1/"
          }
        ]
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "\u003c0.12.3",
          "affected_versions": "All versions before 0.12.3",
          "cvss_v2": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
          "cvss_v3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "cwe_ids": [
            "CWE-1035",
            "CWE-20",
            "CWE-937"
          ],
          "date": "2019-08-25",
          "description": "Improper Input Validation vulnerability in Flask that can result in large amount of memory usage possibly leading to denial of service. This attack appear to be exploitable via Attacker provides JSON data in incorrect encoding.",
          "fixed_versions": [
            "0.12.3"
          ],
          "identifier": "CVE-2018-1000656",
          "identifiers": [
            "CVE-2018-1000656"
          ],
          "not_impacted": "All versions starting from 0.12.3",
          "package_slug": "pypi/Flask",
          "pubdate": "2018-08-20",
          "solution": "Upgrade to version 0.12.3 or above.",
          "title": "Improper Input Validation",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2018-1000656",
            "https://github.com/pallets/flask/pull/2691"
          ],
          "uuid": "b2eb5815-838e-4233-b049-f17d0120134e"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:palletsprojects:flask:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "0.12.3",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          },
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:netapp:ontap_select_deploy_utility:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:netapp:hyper_converged_infrastructure:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:netapp:active_iq:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2018-1000656"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "The Pallets Project flask version Before 0.12.3 contains a CWE-20: Improper Input Validation vulnerability in flask that can result in Large amount of memory usage possibly leading to denial of service. This attack appear to be exploitable via Attacker provides JSON data in incorrect encoding. This vulnerability appears to have been fixed in 0.12.3. NOTE: this may overlap CVE-2019-1010083."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-20"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/pallets/flask/releases/tag/0.12.3",
              "refsource": "CONFIRM",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://github.com/pallets/flask/releases/tag/0.12.3"
            },
            {
              "name": "https://github.com/pallets/flask/pull/2691",
              "refsource": "CONFIRM",
              "tags": [
                "Issue Tracking",
                "Patch",
                "Third Party Advisory"
              ],
              "url": "https://github.com/pallets/flask/pull/2691"
            },
            {
              "name": "https://security.netapp.com/advisory/ntap-20190221-0001/",
              "refsource": "CONFIRM",
              "tags": [
                "Patch",
                "Third Party Advisory"
              ],
              "url": "https://security.netapp.com/advisory/ntap-20190221-0001/"
            },
            {
              "name": "[debian-lts-announce] 20190820 [SECURITY] [DLA 1892-1] flask security update",
              "refsource": "MLIST",
              "tags": [],
              "url": "https://lists.debian.org/debian-lts-announce/2019/08/msg00025.html"
            },
            {
              "name": "USN-4378-1",
              "refsource": "UBUNTU",
              "tags": [],
              "url": "https://usn.ubuntu.com/4378-1/"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 5.0,
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
            "version": "2.0"
          },
          "exploitabilityScore": 10.0,
          "impactScore": 2.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.0"
          },
          "exploitabilityScore": 3.9,
          "impactScore": 3.6
        }
      },
      "lastModifiedDate": "2020-06-09T22:15Z",
      "publishedDate": "2018-08-20T19:31Z"
    }
  }
}

CERTFR-2024-AVI-0366

Vulnerability from certfr_avis - Published: - Updated:

De multiples vulnérabilités ont été découvertes dans les produits IBM. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, une élévation de privilèges et un déni de service à distance.

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

Vendor	Product	Description
IBM	Cloud Pak	IBM Cloud Pak for Security versions 1.10.x.x antérieures à 1.10.21.0
IBM	QRadar Suite Software	QRadar Suite Software versions 1.10.x.x antérieures à 1.10.21.0
IBM	QRadar Assistant	QRadar Assistant versions antérieures à 3.7.0
IBM	Cognos Analytics	Cognos Analytics versions 12.0.x antérieures à 12.0.3
IBM	QRadar SIEM	QRadar SIEM sur Azure Marketplace versions antérieures à 7.3.x postérieures à 7.3.3 et antérieures à 7.5.0 avec le paquet OMI installé
IBM	WebSphere	WebSphere eXtreme Scale versions 8.6.1.x antérieures à 8.6.1.6 sans le correctif de sécurité PH61029
IBM	Cognos Analytics	Cognos Analytics versions 11.2.x FP2 antérieures à 11.2.4 FP3

References

Title

Publication Time

Tags

Bulletin de sécurité IBM 7149736 du 29 avril 2024	None	vendor-advisory
Bulletin de sécurité IBM 7150045 du 01 mai 2024	None	vendor-advisory
Bulletin de sécurité IBM 7149967 du 01 mai 2024	None	vendor-advisory
Bulletin de sécurité IBM 7149874 du 01 mai 2024	None	vendor-advisory
Bulletin de sécurité IBM 7150150 du 03 mai 2024	None	vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "IBM Cloud Pak for Security versions 1.10.x.x ant\u00e9rieures \u00e0 1.10.21.0",
      "product": {
        "name": "Cloud Pak",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    },
    {
      "description": "QRadar Suite Software versions 1.10.x.x ant\u00e9rieures \u00e0 1.10.21.0",
      "product": {
        "name": "QRadar Suite Software",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    },
    {
      "description": "QRadar Assistant versions ant\u00e9rieures \u00e0 3.7.0",
      "product": {
        "name": "QRadar Assistant",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    },
    {
      "description": "Cognos Analytics versions 12.0.x ant\u00e9rieures \u00e0 12.0.3",
      "product": {
        "name": "Cognos Analytics",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    },
    {
      "description": "QRadar SIEM sur Azure Marketplace versions ant\u00e9rieures \u00e0 7.3.x post\u00e9rieures \u00e0 7.3.3 et ant\u00e9rieures \u00e0 7.5.0 avec le paquet OMI install\u00e9",
      "product": {
        "name": "QRadar SIEM",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    },
    {
      "description": "WebSphere eXtreme Scale versions 8.6.1.x ant\u00e9rieures \u00e0 8.6.1.6 sans le correctif de s\u00e9curit\u00e9 PH61029",
      "product": {
        "name": "WebSphere",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    },
    {
      "description": "Cognos Analytics versions 11.2.x FP2 ant\u00e9rieures \u00e0 11.2.4 FP3",
      "product": {
        "name": "Cognos Analytics",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": null,
  "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2023-25577",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-25577"
    },
    {
      "name": "CVE-2022-31116",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-31116"
    },
    {
      "name": "CVE-2023-28841",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-28841"
    },
    {
      "name": "CVE-2024-28849",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-28849"
    },
    {
      "name": "CVE-2023-28840",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-28840"
    },
    {
      "name": "CVE-2023-45857",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-45857"
    },
    {
      "name": "CVE-2021-30465",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-30465"
    },
    {
      "name": "CVE-2022-29162",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-29162"
    },
    {
      "name": "CVE-2022-31117",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-31117"
    },
    {
      "name": "CVE-2023-23934",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-23934"
    },
    {
      "name": "CVE-2023-27561",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-27561"
    },
    {
      "name": "CVE-2024-28102",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-28102"
    },
    {
      "name": "CVE-2019-14322",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-14322"
    },
    {
      "name": "CVE-2023-44270",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-44270"
    },
    {
      "name": "CVE-2023-34462",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-34462"
    },
    {
      "name": "CVE-2019-1010083",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-1010083"
    },
    {
      "name": "CVE-2018-18074",
      "url": "https://www.cve.org/CVERecord?id=CVE-2018-18074"
    },
    {
      "name": "CVE-2022-23541",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-23541"
    },
    {
      "name": "CVE-2023-44487",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-44487"
    },
    {
      "name": "CVE-2022-40897",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-40897"
    },
    {
      "name": "CVE-2023-5072",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-5072"
    },
    {
      "name": "CVE-2024-21503",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-21503"
    },
    {
      "name": "CVE-2022-23540",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-23540"
    },
    {
      "name": "CVE-2024-1135",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-1135"
    },
    {
      "name": "CVE-2024-21501",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-21501"
    },
    {
      "name": "CVE-2024-22195",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-22195"
    },
    {
      "name": "CVE-2021-43784",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-43784"
    },
    {
      "name": "CVE-2023-28842",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-28842"
    },
    {
      "name": "CVE-2024-29131",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-29131"
    },
    {
      "name": "CVE-2024-21334",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-21334"
    },
    {
      "name": "CVE-2023-25809",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-25809"
    },
    {
      "name": "CVE-2016-10745",
      "url": "https://www.cve.org/CVERecord?id=CVE-2016-10745"
    },
    {
      "name": "CVE-2023-46136",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-46136"
    },
    {
      "name": "CVE-2024-29133",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-29133"
    },
    {
      "name": "CVE-2023-44981",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-44981"
    },
    {
      "name": "CVE-2024-27088",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-27088"
    },
    {
      "name": "CVE-2022-23539",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-23539"
    },
    {
      "name": "CVE-2018-1000656",
      "url": "https://www.cve.org/CVERecord?id=CVE-2018-1000656"
    },
    {
      "name": "CVE-2024-25047",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-25047"
    },
    {
      "name": "CVE-2021-28363",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-28363"
    },
    {
      "name": "CVE-2020-15366",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-15366"
    },
    {
      "name": "CVE-2015-3627",
      "url": "https://www.cve.org/CVERecord?id=CVE-2015-3627"
    },
    {
      "name": "CVE-2023-31484",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-31484"
    },
    {
      "name": "CVE-2023-28642",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-28642"
    },
    {
      "name": "CVE-2016-10516",
      "url": "https://www.cve.org/CVERecord?id=CVE-2016-10516"
    },
    {
      "name": "CVE-2020-25032",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-25032"
    },
    {
      "name": "CVE-2021-45958",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-45958"
    },
    {
      "name": "CVE-2023-30861",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-30861"
    },
    {
      "name": "CVE-2021-43565",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-43565"
    },
    {
      "name": "CVE-2023-32681",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-32681"
    },
    {
      "name": "CVE-2020-28493",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-28493"
    },
    {
      "name": "CVE-2023-26159",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-26159"
    },
    {
      "name": "CVE-2024-24758",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-24758"
    }
  ],
  "links": [],
  "reference": "CERTFR-2024-AVI-0366",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2024-05-03T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
    },
    {
      "description": "\u00c9l\u00e9vation de privil\u00e8ges"
    },
    {
      "description": "D\u00e9ni de service \u00e0 distance"
    },
    {
      "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
    },
    {
      "description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
    },
    {
      "description": "Contournement de la politique de s\u00e9curit\u00e9"
    },
    {
      "description": "Injection de code indirecte \u00e0 distance (XSS)"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans \u003cspan\nclass=\"textit\"\u003eles produits IBM\u003c/span\u003e. Certaines d\u0027entre elles\npermettent \u00e0 un attaquant de provoquer une ex\u00e9cution de code arbitraire\n\u00e0 distance, une \u00e9l\u00e9vation de privil\u00e8ges et un d\u00e9ni de service \u00e0\ndistance.\n",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits IBM",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 IBM 7149736 du 29 avril 2024",
      "url": "https://www.ibm.com/support/pages/node/7149736"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 IBM 7150045 du 01 mai 2024",
      "url": "https://www.ibm.com/support/pages/node/7150045"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 IBM 7149967 du 01 mai 2024",
      "url": "https://www.ibm.com/support/pages/node/7149967"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 IBM 7149874 du 01 mai 2024",
      "url": "https://www.ibm.com/support/pages/node/7149874"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 IBM 7150150 du 03 mai 2024",
      "url": "https://www.ibm.com/support/pages/node/7150150"
    }
  ]
}

CERTFR-2024-AVI-0366

Vulnerability from certfr_avis - Published: - Updated:

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

Vendor	Product	Description
IBM	Cloud Pak	IBM Cloud Pak for Security versions 1.10.x.x antérieures à 1.10.21.0
IBM	QRadar Suite Software	QRadar Suite Software versions 1.10.x.x antérieures à 1.10.21.0
IBM	QRadar Assistant	QRadar Assistant versions antérieures à 3.7.0
IBM	Cognos Analytics	Cognos Analytics versions 12.0.x antérieures à 12.0.3
IBM	QRadar SIEM	QRadar SIEM sur Azure Marketplace versions antérieures à 7.3.x postérieures à 7.3.3 et antérieures à 7.5.0 avec le paquet OMI installé
IBM	WebSphere	WebSphere eXtreme Scale versions 8.6.1.x antérieures à 8.6.1.6 sans le correctif de sécurité PH61029
IBM	Cognos Analytics	Cognos Analytics versions 11.2.x FP2 antérieures à 11.2.4 FP3

References

Title

Publication Time

Tags

Bulletin de sécurité IBM 7149736 du 29 avril 2024	None	vendor-advisory
Bulletin de sécurité IBM 7150045 du 01 mai 2024	None	vendor-advisory
Bulletin de sécurité IBM 7149967 du 01 mai 2024	None	vendor-advisory
Bulletin de sécurité IBM 7149874 du 01 mai 2024	None	vendor-advisory
Bulletin de sécurité IBM 7150150 du 03 mai 2024	None	vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "IBM Cloud Pak for Security versions 1.10.x.x ant\u00e9rieures \u00e0 1.10.21.0",
      "product": {
        "name": "Cloud Pak",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    },
    {
      "description": "QRadar Suite Software versions 1.10.x.x ant\u00e9rieures \u00e0 1.10.21.0",
      "product": {
        "name": "QRadar Suite Software",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    },
    {
      "description": "QRadar Assistant versions ant\u00e9rieures \u00e0 3.7.0",
      "product": {
        "name": "QRadar Assistant",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    },
    {
      "description": "Cognos Analytics versions 12.0.x ant\u00e9rieures \u00e0 12.0.3",
      "product": {
        "name": "Cognos Analytics",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    },
    {
      "description": "QRadar SIEM sur Azure Marketplace versions ant\u00e9rieures \u00e0 7.3.x post\u00e9rieures \u00e0 7.3.3 et ant\u00e9rieures \u00e0 7.5.0 avec le paquet OMI install\u00e9",
      "product": {
        "name": "QRadar SIEM",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    },
    {
      "description": "WebSphere eXtreme Scale versions 8.6.1.x ant\u00e9rieures \u00e0 8.6.1.6 sans le correctif de s\u00e9curit\u00e9 PH61029",
      "product": {
        "name": "WebSphere",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    },
    {
      "description": "Cognos Analytics versions 11.2.x FP2 ant\u00e9rieures \u00e0 11.2.4 FP3",
      "product": {
        "name": "Cognos Analytics",
        "vendor": {
          "name": "IBM",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": null,
  "content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
  "cves": [
    {
      "name": "CVE-2023-25577",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-25577"
    },
    {
      "name": "CVE-2022-31116",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-31116"
    },
    {
      "name": "CVE-2023-28841",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-28841"
    },
    {
      "name": "CVE-2024-28849",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-28849"
    },
    {
      "name": "CVE-2023-28840",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-28840"
    },
    {
      "name": "CVE-2023-45857",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-45857"
    },
    {
      "name": "CVE-2021-30465",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-30465"
    },
    {
      "name": "CVE-2022-29162",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-29162"
    },
    {
      "name": "CVE-2022-31117",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-31117"
    },
    {
      "name": "CVE-2023-23934",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-23934"
    },
    {
      "name": "CVE-2023-27561",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-27561"
    },
    {
      "name": "CVE-2024-28102",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-28102"
    },
    {
      "name": "CVE-2019-14322",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-14322"
    },
    {
      "name": "CVE-2023-44270",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-44270"
    },
    {
      "name": "CVE-2023-34462",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-34462"
    },
    {
      "name": "CVE-2019-1010083",
      "url": "https://www.cve.org/CVERecord?id=CVE-2019-1010083"
    },
    {
      "name": "CVE-2018-18074",
      "url": "https://www.cve.org/CVERecord?id=CVE-2018-18074"
    },
    {
      "name": "CVE-2022-23541",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-23541"
    },
    {
      "name": "CVE-2023-44487",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-44487"
    },
    {
      "name": "CVE-2022-40897",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-40897"
    },
    {
      "name": "CVE-2023-5072",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-5072"
    },
    {
      "name": "CVE-2024-21503",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-21503"
    },
    {
      "name": "CVE-2022-23540",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-23540"
    },
    {
      "name": "CVE-2024-1135",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-1135"
    },
    {
      "name": "CVE-2024-21501",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-21501"
    },
    {
      "name": "CVE-2024-22195",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-22195"
    },
    {
      "name": "CVE-2021-43784",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-43784"
    },
    {
      "name": "CVE-2023-28842",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-28842"
    },
    {
      "name": "CVE-2024-29131",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-29131"
    },
    {
      "name": "CVE-2024-21334",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-21334"
    },
    {
      "name": "CVE-2023-25809",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-25809"
    },
    {
      "name": "CVE-2016-10745",
      "url": "https://www.cve.org/CVERecord?id=CVE-2016-10745"
    },
    {
      "name": "CVE-2023-46136",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-46136"
    },
    {
      "name": "CVE-2024-29133",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-29133"
    },
    {
      "name": "CVE-2023-44981",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-44981"
    },
    {
      "name": "CVE-2024-27088",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-27088"
    },
    {
      "name": "CVE-2022-23539",
      "url": "https://www.cve.org/CVERecord?id=CVE-2022-23539"
    },
    {
      "name": "CVE-2018-1000656",
      "url": "https://www.cve.org/CVERecord?id=CVE-2018-1000656"
    },
    {
      "name": "CVE-2024-25047",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-25047"
    },
    {
      "name": "CVE-2021-28363",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-28363"
    },
    {
      "name": "CVE-2020-15366",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-15366"
    },
    {
      "name": "CVE-2015-3627",
      "url": "https://www.cve.org/CVERecord?id=CVE-2015-3627"
    },
    {
      "name": "CVE-2023-31484",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-31484"
    },
    {
      "name": "CVE-2023-28642",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-28642"
    },
    {
      "name": "CVE-2016-10516",
      "url": "https://www.cve.org/CVERecord?id=CVE-2016-10516"
    },
    {
      "name": "CVE-2020-25032",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-25032"
    },
    {
      "name": "CVE-2021-45958",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-45958"
    },
    {
      "name": "CVE-2023-30861",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-30861"
    },
    {
      "name": "CVE-2021-43565",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-43565"
    },
    {
      "name": "CVE-2023-32681",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-32681"
    },
    {
      "name": "CVE-2020-28493",
      "url": "https://www.cve.org/CVERecord?id=CVE-2020-28493"
    },
    {
      "name": "CVE-2023-26159",
      "url": "https://www.cve.org/CVERecord?id=CVE-2023-26159"
    },
    {
      "name": "CVE-2024-24758",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-24758"
    }
  ],
  "links": [],
  "reference": "CERTFR-2024-AVI-0366",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2024-05-03T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
    },
    {
      "description": "\u00c9l\u00e9vation de privil\u00e8ges"
    },
    {
      "description": "D\u00e9ni de service \u00e0 distance"
    },
    {
      "description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
    },
    {
      "description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
    },
    {
      "description": "Contournement de la politique de s\u00e9curit\u00e9"
    },
    {
      "description": "Injection de code indirecte \u00e0 distance (XSS)"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans \u003cspan\nclass=\"textit\"\u003eles produits IBM\u003c/span\u003e. Certaines d\u0027entre elles\npermettent \u00e0 un attaquant de provoquer une ex\u00e9cution de code arbitraire\n\u00e0 distance, une \u00e9l\u00e9vation de privil\u00e8ges et un d\u00e9ni de service \u00e0\ndistance.\n",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits IBM",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 IBM 7149736 du 29 avril 2024",
      "url": "https://www.ibm.com/support/pages/node/7149736"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 IBM 7150045 du 01 mai 2024",
      "url": "https://www.ibm.com/support/pages/node/7150045"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 IBM 7149967 du 01 mai 2024",
      "url": "https://www.ibm.com/support/pages/node/7149967"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 IBM 7149874 du 01 mai 2024",
      "url": "https://www.ibm.com/support/pages/node/7149874"
    },
    {
      "published_at": null,
      "title": "Bulletin de s\u00e9curit\u00e9 IBM 7150150 du 03 mai 2024",
      "url": "https://www.ibm.com/support/pages/node/7150150"
    }
  ]
}

RHSA-2020_0870

Vulnerability from csaf_redhat - Published: 2020-03-17 17:12 - Updated: 2024-11-22 14:35

Summary

Red Hat Security Advisory: python-flask security update

Notes

Topic

An update for python-flask is now available for Red Hat Enterprise Linux 7 Extras. Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Details

Flask is a lightweight but extensible web development framework for Python based on the Werkzeug WSGI toolkit, and the Jinja 2 template engine. Security Fix(es): * python-flask: Denial of Service via crafted JSON file (CVE-2018-1000656) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Low"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "An update for python-flask is now available for Red Hat Enterprise Linux 7 Extras.\n\nRed Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "Flask is a lightweight but extensible web development framework for Python based on the Werkzeug WSGI toolkit, and the Jinja 2 template engine.\n\nSecurity Fix(es):\n\n* python-flask: Denial of Service via crafted JSON file (CVE-2018-1000656)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2020:0870",
        "url": "https://access.redhat.com/errata/RHSA-2020:0870"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#low",
        "url": "https://access.redhat.com/security/updates/classification/#low"
      },
      {
        "category": "external",
        "summary": "1623131",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1623131"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2020/rhsa-2020_0870.json"
      }
    ],
    "title": "Red Hat Security Advisory: python-flask security update",
    "tracking": {
      "current_release_date": "2024-11-22T14:35:27+00:00",
      "generator": {
        "date": "2024-11-22T14:35:27+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.2.1"
        }
      },
      "id": "RHSA-2020:0870",
      "initial_release_date": "2020-03-17T17:12:40+00:00",
      "revision_history": [
        {
          "date": "2020-03-17T17:12:40+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2020-03-17T17:12:40+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2024-11-22T14:35:27+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat Enterprise Linux 7 Extras",
                "product": {
                  "name": "Red Hat Enterprise Linux 7 Extras",
                  "product_id": "7Server-EXTRAS-7.7",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:rhel_extras_other:7"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat Enterprise Linux Extras"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "python-flask-1:0.10.1-5.el7_7.noarch",
                "product": {
                  "name": "python-flask-1:0.10.1-5.el7_7.noarch",
                  "product_id": "python-flask-1:0.10.1-5.el7_7.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/python-flask@0.10.1-5.el7_7?arch=noarch\u0026epoch=1"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "noarch"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "python-flask-1:0.10.1-5.el7_7.src",
                "product": {
                  "name": "python-flask-1:0.10.1-5.el7_7.src",
                  "product_id": "python-flask-1:0.10.1-5.el7_7.src",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/python-flask@0.10.1-5.el7_7?arch=src\u0026epoch=1"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "src"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python-flask-1:0.10.1-5.el7_7.noarch as a component of Red Hat Enterprise Linux 7 Extras",
          "product_id": "7Server-EXTRAS-7.7:python-flask-1:0.10.1-5.el7_7.noarch"
        },
        "product_reference": "python-flask-1:0.10.1-5.el7_7.noarch",
        "relates_to_product_reference": "7Server-EXTRAS-7.7"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python-flask-1:0.10.1-5.el7_7.src as a component of Red Hat Enterprise Linux 7 Extras",
          "product_id": "7Server-EXTRAS-7.7:python-flask-1:0.10.1-5.el7_7.src"
        },
        "product_reference": "python-flask-1:0.10.1-5.el7_7.src",
        "relates_to_product_reference": "7Server-EXTRAS-7.7"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2018-1000656",
      "cwe": {
        "id": "CWE-20",
        "name": "Improper Input Validation"
      },
      "discovery_date": "2018-08-20T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1623131"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "The Pallets Project flask version Before 0.12.3 contains a CWE-20: Improper Input Validation vulnerability in flask that can result in Large amount of memory usage possibly leading to denial of service. This attack appear to be exploitable via Attacker provides JSON data in incorrect encoding. This vulnerability appears to have been fixed in 0.12.3. NOTE: this may overlap CVE-2019-1010083.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "python-flask: Denial of Service via crafted JSON file",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "This issue affects the versions of python-flask as shipped with Red Hat Enterprise Linux 7.\n\nAlthough Red Hat Satellite 6 contains the vulnerable component, the former is not affected due to python-flask only receiving JSON data created by other Red Hat Satellite 6 components, not user-controlled JSON data, which makes the attack unfeasible.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "7Server-EXTRAS-7.7:python-flask-1:0.10.1-5.el7_7.noarch",
          "7Server-EXTRAS-7.7:python-flask-1:0.10.1-5.el7_7.src"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2018-1000656"
        },
        {
          "category": "external",
          "summary": "RHBZ#1623131",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1623131"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2018-1000656",
          "url": "https://www.cve.org/CVERecord?id=CVE-2018-1000656"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000656",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000656"
        }
      ],
      "release_date": "2018-04-10T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2020-03-17T17:12:40+00:00",
          "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "7Server-EXTRAS-7.7:python-flask-1:0.10.1-5.el7_7.noarch",
            "7Server-EXTRAS-7.7:python-flask-1:0.10.1-5.el7_7.src"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2020:0870"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "7Server-EXTRAS-7.7:python-flask-1:0.10.1-5.el7_7.noarch",
            "7Server-EXTRAS-7.7:python-flask-1:0.10.1-5.el7_7.src"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Low"
        }
      ],
      "title": "python-flask: Denial of Service via crafted JSON file"
    }
  ]
}

RHSA-2020:0870

Vulnerability from csaf_redhat - Published: 2020-03-17 17:12 - Updated: 2025-11-21 18:12

Summary

Red Hat Security Advisory: python-flask security update

Notes

Topic

Details

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Low"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "An update for python-flask is now available for Red Hat Enterprise Linux 7 Extras.\n\nRed Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "Flask is a lightweight but extensible web development framework for Python based on the Werkzeug WSGI toolkit, and the Jinja 2 template engine.\n\nSecurity Fix(es):\n\n* python-flask: Denial of Service via crafted JSON file (CVE-2018-1000656)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2020:0870",
        "url": "https://access.redhat.com/errata/RHSA-2020:0870"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#low",
        "url": "https://access.redhat.com/security/updates/classification/#low"
      },
      {
        "category": "external",
        "summary": "1623131",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1623131"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2020/rhsa-2020_0870.json"
      }
    ],
    "title": "Red Hat Security Advisory: python-flask security update",
    "tracking": {
      "current_release_date": "2025-11-21T18:12:48+00:00",
      "generator": {
        "date": "2025-11-21T18:12:48+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.6.12"
        }
      },
      "id": "RHSA-2020:0870",
      "initial_release_date": "2020-03-17T17:12:40+00:00",
      "revision_history": [
        {
          "date": "2020-03-17T17:12:40+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2020-03-17T17:12:40+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2025-11-21T18:12:48+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat Enterprise Linux 7 Extras",
                "product": {
                  "name": "Red Hat Enterprise Linux 7 Extras",
                  "product_id": "7Server-EXTRAS-7.7",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:rhel_extras_other:7"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat Enterprise Linux Extras"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "python-flask-1:0.10.1-5.el7_7.noarch",
                "product": {
                  "name": "python-flask-1:0.10.1-5.el7_7.noarch",
                  "product_id": "python-flask-1:0.10.1-5.el7_7.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/python-flask@0.10.1-5.el7_7?arch=noarch\u0026epoch=1"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "noarch"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "python-flask-1:0.10.1-5.el7_7.src",
                "product": {
                  "name": "python-flask-1:0.10.1-5.el7_7.src",
                  "product_id": "python-flask-1:0.10.1-5.el7_7.src",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/python-flask@0.10.1-5.el7_7?arch=src\u0026epoch=1"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "src"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python-flask-1:0.10.1-5.el7_7.noarch as a component of Red Hat Enterprise Linux 7 Extras",
          "product_id": "7Server-EXTRAS-7.7:python-flask-1:0.10.1-5.el7_7.noarch"
        },
        "product_reference": "python-flask-1:0.10.1-5.el7_7.noarch",
        "relates_to_product_reference": "7Server-EXTRAS-7.7"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python-flask-1:0.10.1-5.el7_7.src as a component of Red Hat Enterprise Linux 7 Extras",
          "product_id": "7Server-EXTRAS-7.7:python-flask-1:0.10.1-5.el7_7.src"
        },
        "product_reference": "python-flask-1:0.10.1-5.el7_7.src",
        "relates_to_product_reference": "7Server-EXTRAS-7.7"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2018-1000656",
      "cwe": {
        "id": "CWE-20",
        "name": "Improper Input Validation"
      },
      "discovery_date": "2018-08-20T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1623131"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "The Pallets Project flask version Before 0.12.3 contains a CWE-20: Improper Input Validation vulnerability in flask that can result in Large amount of memory usage possibly leading to denial of service. This attack appear to be exploitable via Attacker provides JSON data in incorrect encoding. This vulnerability appears to have been fixed in 0.12.3. NOTE: this may overlap CVE-2019-1010083.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "python-flask: Denial of Service via crafted JSON file",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "This issue affects the versions of python-flask as shipped with Red Hat Enterprise Linux 7.\n\nAlthough Red Hat Satellite 6 contains the vulnerable component, the former is not affected due to python-flask only receiving JSON data created by other Red Hat Satellite 6 components, not user-controlled JSON data, which makes the attack unfeasible.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "7Server-EXTRAS-7.7:python-flask-1:0.10.1-5.el7_7.noarch",
          "7Server-EXTRAS-7.7:python-flask-1:0.10.1-5.el7_7.src"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2018-1000656"
        },
        {
          "category": "external",
          "summary": "RHBZ#1623131",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1623131"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2018-1000656",
          "url": "https://www.cve.org/CVERecord?id=CVE-2018-1000656"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000656",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000656"
        }
      ],
      "release_date": "2018-04-10T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2020-03-17T17:12:40+00:00",
          "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
          "product_ids": [
            "7Server-EXTRAS-7.7:python-flask-1:0.10.1-5.el7_7.noarch",
            "7Server-EXTRAS-7.7:python-flask-1:0.10.1-5.el7_7.src"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2020:0870"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "7Server-EXTRAS-7.7:python-flask-1:0.10.1-5.el7_7.noarch",
            "7Server-EXTRAS-7.7:python-flask-1:0.10.1-5.el7_7.src"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Low"
        }
      ],
      "title": "python-flask: Denial of Service via crafted JSON file"
    }
  ]
}

PYSEC-2018-66

Vulnerability from pysec - Published: 2018-08-20 19:31 - Updated: 2021-08-25 04:30

Details

Impacted products

Name	purl
flask	pkg:pypi/flask

Aliases

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "flask",
        "purl": "pkg:pypi/flask"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.12.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "0.1",
        "0.10",
        "0.10.1",
        "0.11",
        "0.11.1",
        "0.12",
        "0.12.1",
        "0.12.2",
        "0.2",
        "0.3",
        "0.3.1",
        "0.4",
        "0.5",
        "0.5.1",
        "0.5.2",
        "0.6",
        "0.6.1",
        "0.7",
        "0.7.1",
        "0.7.2",
        "0.8",
        "0.8.1",
        "0.9"
      ]
    }
  ],
  "aliases": [
    "CVE-2018-1000656",
    "GHSA-562c-5r94-xh97"
  ],
  "details": "The Pallets Project flask version Before 0.12.3 contains a CWE-20: Improper Input Validation vulnerability in flask that can result in Large amount of memory usage possibly leading to denial of service. This attack appear to be exploitable via Attacker provides JSON data in incorrect encoding. This vulnerability appears to have been fixed in 0.12.3. NOTE: this may overlap CVE-2019-1010083.",
  "id": "PYSEC-2018-66",
  "modified": "2021-08-25T04:30:09.712538Z",
  "published": "2018-08-20T19:31:00Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/pallets/flask/releases/tag/0.12.3"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pallets/flask/pull/2691"
    },
    {
      "type": "ADVISORY",
      "url": "https://security.netapp.com/advisory/ntap-20190221-0001/"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2019/08/msg00025.html"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/4378-1/"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-562c-5r94-xh97"
    }
  ]
}

OPENSUSE-SU-2019:1112-1

Vulnerability from csaf_opensuse - Published: 2019-04-02 11:03 - Updated: 2019-04-02 11:03

Summary

Security update for python-Flask

Notes

Title of the patch

Security update for python-Flask

Description of the patch

Patchnames

openSUSE-2019-1112

CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "low"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Security update for python-Flask",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "This update for python-Flask to version 0.12.4 fixes the following issues:\n\nSecurity issue fixed:\n\n- CVE-2018-1000656: Fixed an improper input validation vulnerability in flask\n  that can result in Large amount of memory usage possibly leading to denial of\n  service. (bsc#1106279)\n\nThis update was imported from the SUSE:SLE-15:Update update project.",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "openSUSE-2019-1112",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2019_1112-1.json"
      },
      {
        "category": "self",
        "summary": "URL for openSUSE-SU-2019:1112-1",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/QUU23JPF524WRYT6P2BYP5R5F5XP2QR2/#QUU23JPF524WRYT6P2BYP5R5F5XP2QR2"
      },
      {
        "category": "self",
        "summary": "E-Mail link for openSUSE-SU-2019:1112-1",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/QUU23JPF524WRYT6P2BYP5R5F5XP2QR2/#QUU23JPF524WRYT6P2BYP5R5F5XP2QR2"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1106279",
        "url": "https://bugzilla.suse.com/1106279"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2018-1000656 page",
        "url": "https://www.suse.com/security/cve/CVE-2018-1000656/"
      }
    ],
    "title": "Security update for python-Flask",
    "tracking": {
      "current_release_date": "2019-04-02T11:03:44Z",
      "generator": {
        "date": "2019-04-02T11:03:44Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "openSUSE-SU-2019:1112-1",
      "initial_release_date": "2019-04-02T11:03:44Z",
      "revision_history": [
        {
          "date": "2019-04-02T11:03:44Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "python2-Flask-0.12.4-lp150.2.3.1.noarch",
                "product": {
                  "name": "python2-Flask-0.12.4-lp150.2.3.1.noarch",
                  "product_id": "python2-Flask-0.12.4-lp150.2.3.1.noarch"
                }
              },
              {
                "category": "product_version",
                "name": "python2-Flask-doc-0.12.4-lp150.2.3.1.noarch",
                "product": {
                  "name": "python2-Flask-doc-0.12.4-lp150.2.3.1.noarch",
                  "product_id": "python2-Flask-doc-0.12.4-lp150.2.3.1.noarch"
                }
              },
              {
                "category": "product_version",
                "name": "python3-Flask-0.12.4-lp150.2.3.1.noarch",
                "product": {
                  "name": "python3-Flask-0.12.4-lp150.2.3.1.noarch",
                  "product_id": "python3-Flask-0.12.4-lp150.2.3.1.noarch"
                }
              },
              {
                "category": "product_version",
                "name": "python3-Flask-doc-0.12.4-lp150.2.3.1.noarch",
                "product": {
                  "name": "python3-Flask-doc-0.12.4-lp150.2.3.1.noarch",
                  "product_id": "python3-Flask-doc-0.12.4-lp150.2.3.1.noarch"
                }
              }
            ],
            "category": "architecture",
            "name": "noarch"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "openSUSE Leap 15.0",
                "product": {
                  "name": "openSUSE Leap 15.0",
                  "product_id": "openSUSE Leap 15.0",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:opensuse:leap:15.0"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python2-Flask-0.12.4-lp150.2.3.1.noarch as component of openSUSE Leap 15.0",
          "product_id": "openSUSE Leap 15.0:python2-Flask-0.12.4-lp150.2.3.1.noarch"
        },
        "product_reference": "python2-Flask-0.12.4-lp150.2.3.1.noarch",
        "relates_to_product_reference": "openSUSE Leap 15.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python2-Flask-doc-0.12.4-lp150.2.3.1.noarch as component of openSUSE Leap 15.0",
          "product_id": "openSUSE Leap 15.0:python2-Flask-doc-0.12.4-lp150.2.3.1.noarch"
        },
        "product_reference": "python2-Flask-doc-0.12.4-lp150.2.3.1.noarch",
        "relates_to_product_reference": "openSUSE Leap 15.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python3-Flask-0.12.4-lp150.2.3.1.noarch as component of openSUSE Leap 15.0",
          "product_id": "openSUSE Leap 15.0:python3-Flask-0.12.4-lp150.2.3.1.noarch"
        },
        "product_reference": "python3-Flask-0.12.4-lp150.2.3.1.noarch",
        "relates_to_product_reference": "openSUSE Leap 15.0"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "python3-Flask-doc-0.12.4-lp150.2.3.1.noarch as component of openSUSE Leap 15.0",
          "product_id": "openSUSE Leap 15.0:python3-Flask-doc-0.12.4-lp150.2.3.1.noarch"
        },
        "product_reference": "python3-Flask-doc-0.12.4-lp150.2.3.1.noarch",
        "relates_to_product_reference": "openSUSE Leap 15.0"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2018-1000656",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2018-1000656"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "The Pallets Project flask version Before 0.12.3 contains a CWE-20: Improper Input Validation vulnerability in flask that can result in Large amount of memory usage possibly leading to denial of service. This attack appear to be exploitable via Attacker provides JSON data in incorrect encoding. This vulnerability appears to have been fixed in 0.12.3. NOTE: this may overlap CVE-2019-1010083.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Leap 15.0:python2-Flask-0.12.4-lp150.2.3.1.noarch",
          "openSUSE Leap 15.0:python2-Flask-doc-0.12.4-lp150.2.3.1.noarch",
          "openSUSE Leap 15.0:python3-Flask-0.12.4-lp150.2.3.1.noarch",
          "openSUSE Leap 15.0:python3-Flask-doc-0.12.4-lp150.2.3.1.noarch"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2018-1000656",
          "url": "https://www.suse.com/security/cve/CVE-2018-1000656"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1106279 for CVE-2018-1000656",
          "url": "https://bugzilla.suse.com/1106279"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Leap 15.0:python2-Flask-0.12.4-lp150.2.3.1.noarch",
            "openSUSE Leap 15.0:python2-Flask-doc-0.12.4-lp150.2.3.1.noarch",
            "openSUSE Leap 15.0:python3-Flask-0.12.4-lp150.2.3.1.noarch",
            "openSUSE Leap 15.0:python3-Flask-doc-0.12.4-lp150.2.3.1.noarch"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 3.3,
            "baseSeverity": "LOW",
            "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L",
            "version": "3.0"
          },
          "products": [
            "openSUSE Leap 15.0:python2-Flask-0.12.4-lp150.2.3.1.noarch",
            "openSUSE Leap 15.0:python2-Flask-doc-0.12.4-lp150.2.3.1.noarch",
            "openSUSE Leap 15.0:python3-Flask-0.12.4-lp150.2.3.1.noarch",
            "openSUSE Leap 15.0:python3-Flask-doc-0.12.4-lp150.2.3.1.noarch"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2019-04-02T11:03:44Z",
          "details": "low"
        }
      ],
      "title": "CVE-2018-1000656"
    }
  ]
}

GHSA-562C-5R94-XH97

Vulnerability from github – Published: 2018-08-23 19:10 – Updated: 2024-09-20 20:16

Summary

Flask is vulnerable to Denial of Service via incorrect encoding of JSON data

Details

Severity ?

7.5 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

8.7 (High)


                  
                    CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "Flask"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.12.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2018-1000656"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-20"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-06-16T21:00:05Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "The Pallets Project flask version Before 0.12.3 contains a CWE-20: Improper Input Validation vulnerability in flask that can result in Large amount of memory usage possibly leading to denial of service. This attack appear to be exploitable via Attacker provides JSON data in incorrect encoding. This vulnerability appears to have been fixed in 0.12.3.",
  "id": "GHSA-562c-5r94-xh97",
  "modified": "2024-09-20T20:16:29Z",
  "published": "2018-08-23T19:10:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1000656"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pallets/flask/pull/2691"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pallets/flask/commit/b178e89e4456e777b1a7ac6d7199052d0dfdbbbe"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-562c-5r94-xh97"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/pallets/flask"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pallets/flask/releases/tag/0.12.3"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/flask/PYSEC-2018-66.yaml"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2019/08/msg00025.html"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20190221-0001"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/4378-1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Flask is vulnerable to Denial of Service via incorrect encoding of JSON data"
}

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2018-1000656 (GCVE-0-2018-1000656)

Solution

Solution

Tags

Sightings

Nomenclature