Lucene search

Debian Security Bug TrackerDEBIANCVE:CVE-2021-21419

HistoryMay 07, 2021 - 3:15 p.m.

CVE-2021-21419

2021-05-0715:15:07

Debian Security Bug Tracker

security-tracker.debian.org

eventlet

python

websocket

memory exhaustion

vulnerability

patch

version 0.31.0

os limits

machine exhaustion

unix

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

EPSS

0.001

Percentile

47.2%

JSON

Eventlet is a concurrent networking library for Python. A websocket peer may exhaust memory on Eventlet side by sending very large websocket frames. Malicious peer may exhaust memory on Eventlet side by sending highly compressed data frame. A patch in version 0.31.0 restricts websocket frame to reasonable limits. As a workaround, restricting memory usage via OS limits would help against overall machine exhaustion, but there is no workaround to protect Eventlet process.

OSVersionArchitecturePackageVersionFilename
Debian12allpython-eventlet< 0.26.1-7python-eventlet_0.26.1-7_all.deb
Debian11allpython-eventlet< 0.26.1-7python-eventlet_0.26.1-7_all.deb
Debian999allpython-eventlet< 0.26.1-7python-eventlet_0.26.1-7_all.deb
Debian13allpython-eventlet< 0.26.1-7python-eventlet_0.26.1-7_all.deb

OS	Version	Architecture	Package	Version	Filename
Debian	12	all	python-eventlet	< 0.26.1-7	python-eventlet_0.26.1-7_all.deb
Debian	11	all	python-eventlet	< 0.26.1-7	python-eventlet_0.26.1-7_all.deb
Debian	999	all	python-eventlet	< 0.26.1-7	python-eventlet_0.26.1-7_all.deb
Debian	13	all	python-eventlet	< 0.26.1-7	python-eventlet_0.26.1-7_all.deb