CVE-2018-1000656 — HIGH (7.5)

Q: How severe is CVE-2018-1000656?

CVE-2018-1000656 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2018-1000656?

Check the references section above for vendor advisories and patch information. Affected products include: Palletsprojects Flask, Netapp Active Iq, Netapp Hyper Converged Infrastructure, Netapp Ontap Select Deploy Utility.

Vulnerability Description

The Pallets Project flask version Before 0.12.3 contains a CWE-20: Improper Input Validation vulnerability in flask that can result in Large amount of memory usage possibly leading to denial of service. This attack appear to be exploitable via Attacker provides JSON data in incorrect encoding. This vulnerability appears to have been fixed in 0.12.3. NOTE: this may overlap CVE-2019-1010083.

CVSS Score

7.5

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

NONE

Availability

HIGH

Affected Products

Vendor	Product	Versions
Palletsprojects	Flask	< 0.12.3
Netapp	Active Iq	All versions
Netapp	Hyper Converged Infrastructure	All versions
Netapp	Ontap Select Deploy Utility	All versions

Related Weaknesses (CWE)

CWE-20

References

https://github.com/pallets/flask/pull/2691Issue TrackingPatchThird Party Advisory
https://github.com/pallets/flask/releases/tag/0.12.3Third Party Advisory
https://lists.debian.org/debian-lts-announce/2019/08/msg00025.html
https://security.netapp.com/advisory/ntap-20190221-0001/PatchThird Party Advisory
https://usn.ubuntu.com/4378-1/
https://github.com/pallets/flask/pull/2691Issue TrackingPatchThird Party Advisory
https://github.com/pallets/flask/releases/tag/0.12.3Third Party Advisory
https://lists.debian.org/debian-lts-announce/2019/08/msg00025.html
https://security.netapp.com/advisory/ntap-20190221-0001/PatchThird Party Advisory
https://usn.ubuntu.com/4378-1/

FAQ

What is CVE-2018-1000656?

CVE-2018-1000656 is a vulnerability with a CVSS score of 7.5 (HIGH). The Pallets Project flask version Before 0.12.3 contains a CWE-20: Improper Input Validation vulnerability in flask that can result in Large amount of memory usage possibly leading to denial of servic...

How severe is CVE-2018-1000656?

CVE-2018-1000656 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2018-1000656?

Check the references section above for vendor advisories and patch information. Affected products include: Palletsprojects Flask, Netapp Active Iq, Netapp Hyper Converged Infrastructure, Netapp Ontap Select Deploy Utility.