{
  "threat_severity" : "Low",
  "public_date" : "2018-04-10T00:00:00Z",
  "bugzilla" : {
    "description" : "python-flask: Denial of Service via crafted JSON file",
    "id" : "1623131",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1623131"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-20",
  "details" : [ "The Pallets Project flask version Before 0.12.3 contains a CWE-20: Improper Input Validation vulnerability in flask that can result in Large amount of memory usage possibly leading to denial of service. This attack appear to be exploitable via Attacker provides JSON data in incorrect encoding. This vulnerability appears to have been fixed in 0.12.3. NOTE: this may overlap CVE-2019-1010083." ],
  "statement" : "This issue affects the versions of python-flask as shipped with Red Hat Enterprise Linux 7.\nAlthough Red Hat Satellite 6 contains the vulnerable component, the former is not affected due to python-flask only receiving JSON data created by other Red Hat Satellite 6 components, not user-controlled JSON data, which makes the attack unfeasible.",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 7 Extras",
    "release_date" : "2020-03-17T00:00:00Z",
    "advisory" : "RHSA-2020:0870",
    "cpe" : "cpe:/a:redhat:rhel_extras_other:7",
    "package" : "python-flask-1:0.10.1-5.el7_7"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Ceph Storage 2",
    "fix_state" : "Affected",
    "package_name" : "python-flask",
    "cpe" : "cpe:/a:redhat:ceph_storage:2"
  }, {
    "product_name" : "Red Hat Ceph Storage 3",
    "fix_state" : "Fix deferred",
    "package_name" : "python-flask",
    "cpe" : "cpe:/a:redhat:ceph_storage:3"
  }, {
    "product_name" : "Red Hat Ceph Storage 7",
    "fix_state" : "Not affected",
    "package_name" : "python-flask",
    "cpe" : "cpe:/a:redhat:ceph_storage:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "python-flask",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Satellite 6",
    "fix_state" : "Not affected",
    "package_name" : "python-flask",
    "cpe" : "cpe:/a:redhat:satellite:6"
  }, {
    "product_name" : "Red Hat Storage 3",
    "fix_state" : "Fix deferred",
    "package_name" : "python-flask",
    "cpe" : "cpe:/a:redhat:storage:3"
  }, {
    "product_name" : "Red Hat Update Infrastructure 3 for Cloud Providers",
    "fix_state" : "Fix deferred",
    "package_name" : "python-flask",
    "cpe" : "cpe:/a:redhat:rhui:3"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2018-1000656\nhttps://nvd.nist.gov/vuln/detail/CVE-2018-1000656" ],
  "name" : "CVE-2018-1000656",
  "csaw" : false
}