CVE-2021-21419

Aliases:GHSA-9p9m-jm8w-94p2PYSEC-2021-12
Advisory lineage Upstream: 0 Downstream: 8
Modified
Published: 07 May 2021, 14:30
Last modified:03 Aug 2024, 18:09

Vulnerability Summary

Overall Risk (default)
low
21/100
CVSS Score
5.3 MEDIUM
v3.1 (cve.org)
EPSS Score
0.13% LOW
0% probability 0.00%
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected

Timeline

07 May 2021, 14:30
Published
Vulnerability first disclosed
03 Aug 2024, 18:09
Last Modified
Vulnerability information updated

Description

Eventlet is a concurrent networking library for Python. A websocket peer may exhaust memory on Eventlet side by sending very large websocket frames. Malicious peer may exhaust memory on Eventlet side by sending highly compressed data frame. A patch in version 0.31.0 restricts websocket frame to reasonable limits. As a workaround, restricting memory usage via OS limits would help against overall machine exhaustion, but there is no workaround to protect Eventlet process.

CVSS Metrics

  • v4.0MEDIUMScore: 6.9CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
  • v3.1MEDIUMScore: 5.3CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
  • v2.0MEDIUMScore: 5AV:N/AC:L/Au:N/C:N/I:N/A:P

EPSS Trends

Current EPSS score: 0.13% Percentile: 32%

Techniques & Countermeasures

  • CWE-400Uncontrolled Resource Consumption

    The product does not properly control the allocation and maintenance of a limited resource.

Affected Systems

  • eventleteventlet

    ≥ 0.10, < 0.31.0

  • fedoraprojectfedora

    33 | 34

  • PyPIeventlet

    ≥ 0.10.0, < 0.31.0 | ≥ 0.10, < 0.31.0

References (9)