CVE-2021-21419 — Uncontrolled Resource Consumption in Eventlet
Severity
7.5HIGHNVD
NVD5.3OSV5.3
EPSS
0.1%
top 73.47%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedMay 7
Latest updateNov 1
Description
Eventlet is a concurrent networking library for Python. A websocket peer may exhaust memory on Eventlet side by sending very large websocket frames. Malicious peer may exhaust memory on Eventlet side by sending highly compressed data frame. A patch in version 0.31.0 restricts websocket frame to reasonable limits. As a workaround, restricting memory usage via OS limits would help against overall machine exhaustion, but there is no workaround to protect Eventlet process.
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:LExploitability: 3.9 | Impact: 1.4
Affected Packages5 packages
Also affects: Fedora 33, 34, Openshift Container Platform 4.12
🔴Vulnerability Details
4GHSA▶
GHSA-326p-894x-j8c7: A regression was introduced in the Red Hat build of python-eventlet due to a change in the patch application strategy, resulting in a patch for CVE-20↗2023-11-01
GHSA▶
Improper Handling of Highly Compressed Data (Data Amplification) and Memory Allocation with Excessive Size Value in eventlet↗2021-05-07
OSV▶
Improper Handling of Highly Compressed Data (Data Amplification) and Memory Allocation with Excessive Size Value in eventlet↗2021-05-07
📋Vendor Advisories
5Debian▶
CVE-2023-5625: python-eventlet - A regression was introduced in the Red Hat build of python-eventlet due to a cha...↗2023
Red Hat▶
python-eventlet: improper handling of highly compressed data and memory allocation with excessive size allows DoS↗2021-05-06
Debian▶
CVE-2021-21419: python-eventlet - Eventlet is a concurrent networking library for Python. A websocket peer may exh...↗2021