5.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.001 Low
EPSS
Percentile
46.7%
A websocket peer may exhaust memory on Eventlet side by sending very large websocket frames. Malicious peer may exhaust memory on Eventlet side by sending highly compressed data frame.
Version 0.31.0 restricts websocket frame to reasonable limits.
Restricting memory usage via OS limits would help against overall machine exhaustion. No workaround to protect Eventlet process.
If you have any questions or comments about this advisory:
github.com/advisories/GHSA-9p9m-jm8w-94p2
github.com/eventlet/eventlet/commit/1412f5e4125b4313f815778a1acb4d3336efcd07
github.com/eventlet/eventlet/security/advisories/GHSA-9p9m-jm8w-94p2
lists.fedoraproject.org/archives/list/[email protected]/message/2WJFSBPLCNSZNHYQC4QDRDFRTEZRMD2L/
lists.fedoraproject.org/archives/list/[email protected]/message/R5JZP4LZOSP7CUAM3GIRW6PIAWKH5VGB/
nvd.nist.gov/vuln/detail/CVE-2021-21419
5.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.001 Low
EPSS
Percentile
46.7%