Vulnerability CVE-2018-1000656

Vulnerability Name:

CVE-2018-1000656 (CCN-148677)

Assigned:

2018-04-10

Published:

2018-04-10

Updated:

2020-06-09

Summary:

The Pallets Project flask version Before 0.12.3 contains a CWE-20: Improper Input Validation vulnerability in flask that can result in Large amount of memory usage possibly leading to denial of service. This attack appear to be exploitable via Attacker provides JSON data in incorrect encoding. This vulnerability appears to have been fixed in 0.12.3.
Note: this may overlap CVE-2019-1010083.

CVSS v3 Severity:

7.5 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
6.5 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): High

5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
4.6 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): Low

CVSS v2 Severity:

5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Authentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): Partial

5.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): Partial

Vulnerability Type:

CWE-20

Vulnerability Consequences:

Denial of Service

References:

Source: MITRE
Type: CNA
CVE-2018-1000656

Source: XF
Type: UNKNOWN
pallets-flask-cve20181000656-dos(148677)

Source: CCN
Type: flask GIT Repository
detect UTF encodings when loading json #2691

Source: CONFIRM
Type: Issue Tracking, Patch, Third Party Advisory
https://github.com/pallets/flask/pull/2691

Source: CONFIRM
Type: Third Party Advisory
https://github.com/pallets/flask/releases/tag/0.12.3

Source: MLIST
Type: UNKNOWN
[debian-lts-announce] 20190820 [SECURITY] [DLA 1892-1] flask security update

Source: CONFIRM
Type: Patch, Third Party Advisory
https://security.netapp.com/advisory/ntap-20190221-0001/

Source: UBUNTU
Type: UNKNOWN
USN-4378-1

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2018-1000656

Vulnerable Configuration:

Configuration 1:

cpe:/a:palletsprojects:flask:*:*:*:*:*:*:*:* (Version < 0.12.3)

Configuration 2:

cpe:/a:netapp:active_iq:*:*:*:*:*:*:*:*

OR cpe:/a:netapp:hyper_converged_infrastructure:*:*:*:*:*:*:*:*

OR cpe:/a:netapp:ontap_select_deploy_utility:*:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:20181000656	V	CVE-2018-1000656	2023-06-22
oval:org.opensuse.security:def:51571	P	Security update for tiff (Important)	2022-11-28
oval:org.opensuse.security:def:3797	P	Security update for gimp (Moderate)	2022-08-01
oval:org.opensuse.security:def:3707	P	Security update for webkit2gtk3 (Important) (in QA)	2022-08-01
oval:org.opensuse.security:def:3771	P	Security update for xen (Important)	2022-07-29
oval:org.opensuse.security:def:3744	P	Security update for java-11-openjdk (Important) (in QA)	2022-07-22
oval:org.opensuse.security:def:3783	P	Security update for the Linux Kernel (Important)	2022-07-21
oval:org.opensuse.security:def:3376	P	syslog-service-2.0-778.1 on GA media (Moderate)	2022-06-28
oval:org.opensuse.security:def:3690	P	libu2f-host0-1.1.6-3.5.1 on GA media (Moderate)	2022-06-28
oval:org.opensuse.security:def:3696	P	libvirglrenderer0-0.5.0-11.1 on GA media (Moderate)	2022-06-28
oval:org.opensuse.security:def:3364	P	shadow-4.2.1-34.20 on GA media (Moderate)	2022-06-28
oval:org.opensuse.security:def:4539	P	Security update for the Linux Kernel (Live Patch 23 for SLE 12 SP5) (Important)	2021-12-14
oval:org.opensuse.security:def:51646	P	Security update for the Linux Kernel (Live Patch 39 for SLE 12 SP3) (Important)	2021-08-25
oval:org.opensuse.security:def:48116	P	libgme0-0.6.0-5.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47981	P	ctags-5.8-7.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47980	P	cron-4.2-59.10.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:48309	P	squashfs-4.3-6.2 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47995	P	dpdk-18.11.2-1.59 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:4555	P	Security update for jetty-minimal (Important)	2021-06-17
oval:org.opensuse.security:def:48895	P	bogofilter-1.2.4-5.3 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:48533	P	libpcsclite1-1.8.10-3.4 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:48681	P	libfbembed2_5-2.5.2.26539-13.42 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:48441	P	gvim-7.4.326-2.14 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:1463	P	Security update for djvulibre (Important)	2021-05-19
oval:org.opensuse.security:def:51537	P	Security update for clamav (Important)	2021-04-14
oval:org.opensuse.security:def:51747	P	Security update for compat-openssl098 (Moderate)	2021-03-16
oval:org.opensuse.security:def:49298	P	Security update for python-urllib3 (Moderate)	2021-02-03
oval:org.opensuse.security:def:51469	P	Security update for postgresql12 (Important)	2020-12-04
oval:org.opensuse.security:def:3870	P	crash-devel-7.2.1-6.42 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:3901	P	giflib-devel-5.0.5-12.1 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:2101	P	xen-4.10.1_04-1.4 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:48979	P	cyrus-sasl-digestmd5-32bit-2.1.26-8.7.1 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:3891	P	freerdp-devel-2.0.0~git.1463131968.4e66df7-12.8.1 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:3894	P	gc-devel-7.2d-5.1 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:3853	P	apache2-mod_perl-devel-2.0.8-11.43 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:3897	P	gdk-pixbuf-devel-2.34.0-19.17.1 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:49041	P	libvpx1-32bit-1.3.0-3.3.1 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:2716	P	Security update for python (Moderate)	2020-12-02
oval:org.opensuse.security:def:2726	P	Security update for libopenmpt (Important)	2020-12-02
oval:org.opensuse.security:def:2639	P	Security update for cups (Moderate)	2020-12-02
oval:org.opensuse.security:def:2686	P	Security update for wireshark (Moderate)	2020-12-02
oval:org.opensuse.security:def:2671	P	Security update for cups (Important)	2020-12-02
oval:org.opensuse.security:def:2724	P	Security update for jasper (Moderate)	2020-12-02
oval:org.opensuse.security:def:2645	P	Security update for ImageMagick (Important)	2020-12-02
oval:org.opensuse.security:def:2710	P	Security update for zypper, libzypp and libsolv (Moderate)	2020-12-02
oval:org.opensuse.security:def:2677	P	Security update for jasper (Moderate)	2020-12-02
oval:org.opensuse.security:def:2635	P	Security update for libopenmpt (Moderate)	2020-12-02
oval:org.opensuse.security:def:2657	P	Security update for ImageMagick (Important)	2020-12-02
oval:org.opensuse.security:def:49171	P	libgtk-vnc-2_0-0 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:51809	P	Security update for python-Flask (Low)	2020-12-01
oval:org.opensuse.security:def:50207	P	libwpd-0_10-10 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:49904	P	aws-cli on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:50590	P	Security update for LibreOffice (Moderate)	2020-12-01
oval:org.opensuse.security:def:49106	P	glibc-locale-32bit on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:51386	P	Security update for libarchive (Moderate)	2020-12-01
oval:org.opensuse.security:def:49649	P	libSoundTouch0 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:49137	P	libQt5Concurrent-devel on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:50302	P	Security update for spice-gtk (Important)	2020-12-01
oval:org.opensuse.security:def:50228	P	gnome-photos on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:52986	P	Security update for python-Flask (Low)	2020-12-01
oval:org.opensuse.security:def:51015	P	Security update for libX11 (Moderate)	2020-12-01
oval:org.opensuse.security:def:50484	P	Security update for sysstat (Moderate)	2020-12-01
oval:org.opensuse.security:def:50367	P	Security update for zeromq (Important)	2020-12-01
oval:org.opensuse.security:def:50142	P	dia on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:50749	P	Security update for libxslt (Moderate)	2020-12-01
oval:org.opensuse.security:def:50398	P	Security update for cronie (Low)	2020-12-01
oval:org.opensuse.security:def:49153	P	libXv-devel on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:49747	P	nasm on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:49208	P	libopus0 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:50360	P	Security update for MozillaFirefox, mozilla-nspr and mozilla-nss (Important)	2020-12-01
oval:org.opensuse.security:def:51285	P	Security update for python (Important)	2020-12-01
oval:org.opensuse.security:def:50538	P	Security update for python-Flask (Low)	2020-12-01
oval:org.opensuse.security:def:49152	P	libXtst-devel on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:49503	P	bluez on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:50232	P	imobiledevice-tools on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:50208	P	openconnect on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:52922	P	Security update for the Linux Kernel (Live Patch 4 for SLE 15 SP1) (Important)	2020-12-01
oval:org.opensuse.security:def:50853	P	Security update for the Linux Kernel (Important)	2020-12-01
oval:org.opensuse.security:def:50471	P	Security update for libseccomp (Moderate)	2020-12-01
oval:com.ubuntu.xenial:def:201810006560000000	V	CVE-2018-1000656 on Ubuntu 16.04 LTS (xenial) - low.	2018-08-20
oval:com.ubuntu.bionic:def:20181000656000	V	CVE-2018-1000656 on Ubuntu 18.04 LTS (bionic) - low.	2018-08-20
oval:com.ubuntu.disco:def:201810006560000000	V	CVE-2018-1000656 on Ubuntu 19.04 (disco) - low.	2018-08-20
oval:com.ubuntu.cosmic:def:20181000656000	V	CVE-2018-1000656 on Ubuntu 18.10 (cosmic) - low.	2018-08-20
oval:com.ubuntu.cosmic:def:201810006560000000	V	CVE-2018-1000656 on Ubuntu 18.10 (cosmic) - low.	2018-08-20
oval:com.ubuntu.trusty:def:20181000656000	V	CVE-2018-1000656 on Ubuntu 14.04 LTS (trusty) - low.	2018-08-20
oval:com.ubuntu.bionic:def:201810006560000000	V	CVE-2018-1000656 on Ubuntu 18.04 LTS (bionic) - low.	2018-08-20
oval:com.ubuntu.xenial:def:20181000656000	V	CVE-2018-1000656 on Ubuntu 16.04 LTS (xenial) - low.	2018-08-20

BACK