Lucene search

MitreCVE-2021-28667

HistoryMar 18, 2021 - 3:15 a.m.

CVE-2021-28667

2021-03-1803:15:12

CWE-835

mitre

web.nvd.nist.gov

stackstorm

cve-2021-28667

memory consumption

disk space

python 3.x

locale

utf-8

unicode data

nvd

CVSS2

7.1

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:N/I:N/A:C

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

0.001

Percentile

42.5%

JSON

StackStorm before 3.4.1, in some situations, has an infinite loop that consumes all available memory and disk space. This can occur if Python 3.x is used, the locale is not utf-8, and there is an attempt to log Unicode data (from an action or rule name).

Affected configurations

Nvd

Node

stackstormstackstormRange<3.4.1

AND

pythonpythonRange<3.0.0

VendorProductVersionCPE
stackstormstackstorm*cpe:2.3:a:stackstorm:stackstorm:*:*:*:*:*:*:*:*
pythonpython*cpe:2.3:a:python:python:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
stackstorm	stackstorm	*	cpe:2.3:a:stackstorm:stackstorm::::::::
python	python	*	cpe:2.3:a:python:python::::::::

References

stackstorm.com/2021/03/10/stackstorm-v3-4-1-security-fix/

Social References

CVSS2

7.1

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:N/I:N/A:C

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

0.001

Percentile

42.5%

JSON

Related for CVE-2021-28667