K63597327 : Python Flask vulnerability CVE-2018-1000656

2021-06-2200:00:00

my.f5.com

7.5 High

AI Score

Confidence

High

0.004 Low

EPSS

Percentile

72.8%

JSON

Security Advisory Description

The Pallets Project flask version Before 0.12.3 contains a CWE-20: Improper Input Validation vulnerability in flask that can result in Large amount of memory usage possibly leading to denial of service. This attack appear to be exploitable via Attacker provides JSON data in incorrect encoding. This vulnerability appears to have been fixed in 0.12.3. NOTE: this may overlap CVE-2019-1010083. (CVE-2018-1000656)

Impact

An attacker may use crafted JSON data to cause a denial-of-service (DoS) attack.

BIG-IQ Centralized Management

Only the control plane for the BIG-IQ Configuration utility uses the Python Flask module.

F5OS

Only the web server for the front panel LCD touchscreen uses Flask. They system uses the LCD web server only when you access the front panel touchscreen. No other component interacts with Flask.

CPENameOperatorVersion
f5 ssl orchestratoreq14.1.0
f5 ssl orchestratoreq14.1.2
f5 ssl orchestratoreq14.1.4
f5 ssl orchestratoreq15.1.0
f5 ssl orchestratoreq15.1.1
f5 ssl orchestratoreq16.0.0
f5 ssl orchestratoreq16.0.1
big-ip afmeq11.6.1
big-ip afmeq11.6.2
big-ip afmeq11.6.3

Name	Operator	Version
f5 ssl orchestrator	eq	14.1.0
f5 ssl orchestrator	eq	14.1.2
f5 ssl orchestrator	eq	14.1.4
f5 ssl orchestrator	eq	15.1.0
f5 ssl orchestrator	eq	15.1.1
f5 ssl orchestrator	eq	16.0.0
f5 ssl orchestrator	eq	16.0.1
big-ip afm	eq	11.6.1
big-ip afm	eq	11.6.2
big-ip afm	eq	11.6.3