Description
The Pallets Project flask version Before 0.12.3 contains a CWE-20: Improper Input Validation vulnerability in flask that can result in Large amount of memory usage possibly leading to denial of service. This attack appear to be exploitable via Attacker provides JSON data in incorrect encoding. This vulnerability appears to have been fixed in 0.12.3. NOTE: this may overlap CVE-2019-1010083.
References (5)
Core 5
Core References
Patch, Third Party Advisory x_refsource_confirm
https://security.netapp.com/advisory/ntap-20190221-0001/
Issue Tracking, Patch, Third Party Advisory x_refsource_confirm
https://github.com/pallets/flask/pull/2691
Third Party Advisory x_refsource_confirm
https://github.com/pallets/flask/releases/tag/0.12.3
Vendor Advisory vendor-advisory
x_refsource_ubuntu
https://usn.ubuntu.com/4378-1/
Mailing List mailing-list
x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2019/08/msg00025.html
Scores
CVSS v3
7.5
EPSS
0.0057
EPSS Percentile
69.0%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Details
CWE
CWE-20
Status
published
Products (5)
netapp/active_iq
netapp/hyper_converged_infrastructure
netapp/ontap_select_deploy_utility
palletsprojects/flask
< 0.12.3
pypi/Flask
0 - 0.12.3PyPI
Published
Aug 20, 2018
Tracked Since
Feb 18, 2026