Vulnerability describes
The Vulnerability (CVE-2018-1000656) was published four days ago on The National Vulnerability Database (NVD) and is described as follows:
The Pallets Project flask version Before 0.12.3 contains a CWE-20: Improper Input Validation vulnerability in flask that can result in Large amount of memory usage possibly leading to denial of service. This attack appear to be exploitable via Attacker provides JSON data in incorrect encoding. This vulnerability appears to have been fixed in 0.12.3.
The rough translation is as follows:
Flask 0.12.3 and below, developed by the Pallets team, contain a CWE-20 type vulnerability: an inappropriate input validation vulnerability. This vulnerability will result in a large memory footprint and may result in denial of service. An attacker can attack by providing JSON data with the wrong encoding. This vulnerability has been fixed in version 0.12.3 (#2691).
response
This vulnerability can be protected by upgrading. If you plan to use the latest version (Flask 1.0.2), you can update it using the following command (see this article for what major changes are included in Flask 1.0) :
$ pip install -U flask
Copy the code
If you use Pipenv, you can use the following command:
$ pipenv update flask
Copy the code
If you’re not ready for the latest version, you can upgrade to 0.12.3:
$PIP install flask = = 0.12.3Copy the code
Then update requirements.txt:
Flask ~ > 0.12.3Copy the code
If Pipenv is used, the following command is used:
$pipenv install flask = = 0.12.3Copy the code
note
- NVD is a U.S. government website that collects vulnerabilities. See the National Vulnerability Database for details.
- CWE (Common Weakness Enumeration) is a vulnerability classification standard maintained by MITRE, an American non-profit organization. For details, see Common Weakness Enumeration.
- The Common Vulnerabilities and Exposures (CVE), a vulnerability database maintained by The US non-profit MITRE, For details, see Common Vulnerabilities and Exposures (CVE).