VDB
CVE-2018-1000656
CVE-2018-1000656
PUBLISHED
The Pallets Project flask version Before 0.12.3 contains a CWE-20: Improper Input Validation vulnerability in flask that can result in Large amount of memory usage possibly leading to denial of service. This attack appear to be exploitable via Attacker provides JSON data in incorrect encoding. This vulnerability appears to have been fixed in 0.12.3. NOTE: this may overlap CVE-2019-1010083.
EPSS 0.64% · 71.1th percentile
Risk Scores
EPSS Score
0.64%
71.1th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Ubuntu:18.04:LTS | flask | 0.12.2-2, 0.12.2-3, 0 |
| Ubuntu:Pro:14.04:LTS | flask | 0.10.1-2build1, 0, 0.10.1-2 |
| Ubuntu:16.04:LTS | flask | 0.10.1-2build2, 0 |
Exploit Intelligence
- CIRCL seen: CVE-2018-1000656 (circl-sighting)
- CIRCL seen: CVE-2018-1000656 (circl-sighting)
- https://security.netapp.com/advisory/ntap-20190221-0001/ (circl)
- https://github.com/pallets/flask/pull/2691 (circl)
- https://github.com/pallets/flask/releases/tag/0.12.3 (circl)
- [debian-lts-announce] 20190820 [SECURITY] [DLA 1892-1] flask security update (circl)
- USN-4378-1 (circl)
- sarif.json (github-poc)
- sarif.json (github-poc)
- sarif.json (github-poc)
…and 7 more exploits
Timeline
- Aug 20, 2018 CVE Published
- Apr 14, 2021 EPSS Score
- Jun 23, 2021 EPSS Score
- Aug 24, 2021 EPSS Score
- Oct 26, 2021 EPSS Score
- Feb 4, 2022 EPSS Score
- Feb 28, 2022 EPSS Score
- May 2, 2022 EPSS Score
- Jul 3, 2022 EPSS Score
- Sep 5, 2022 EPSS Score
- Nov 6, 2022 EPSS Score
- Jan 8, 2023 EPSS Score
References
- https://ubuntu.com/security/CVE-2018-1000656 third-party-advisory
- https://github.com/pallets/flask/releases/tag/0.12.3 third-party-advisory
- https://ubuntu.com/security/notices/USN-4378-1 vendor-advisory
- https://www.cve.org/CVERecord?id=CVE-2018-1000656 third-party-advisory