CVE-2021-21419

07.05.2021, 15:15

Eventlet is a concurrent networking library for Python. A websocket peer may exhaust memory on Eventlet side by sending very large websocket frames. Malicious peer may exhaust memory on Eventlet side by sending highly compressed data frame. A patch in version 0.31.0 restricts websocket frame to reasonable limits. As a workaround, restricting memory usage via OS limits would help against overall machine exhaustion, but there is no workaround to protect Eventlet process.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	5.3 MEDIUM	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
GitHub_M	CNA	5.3 MEDIUM	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
CVE	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 38%

Vendor	Product	Version
eventlet	eventlet	0.10 ≤ 𝑥 < 0.31.0

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

python-eventlet

bullseye	0.26.1-7+deb11u1 fixed
buster	no-dsa
stretch	no-dsa
bookworm	0.33.1-4 fixed
sid	0.36.1-7 fixed
trixie	0.36.1-7 fixed

Ubuntu Releases

Ubuntu Product

Codename

python-eventlet

jammy	Fixed 0.30.0-0ubuntu2 released
impish	Fixed 0.30.0-0ubuntu2 released
hirsute	Fixed 0.30.0-0ubuntu1.1 released
groovy	Fixed 0.26.1-0ubuntu1.1 released
focal	Fixed 0.25.1-2ubuntu1.1 released
bionic	not-affected
xenial	not-affected
trusty	dne

Common Weakness Enumeration

CWE-400 - Uncontrolled Resource Consumption
The software does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

References

https://github.com/eventlet/eventlet/security/advisories/GHSA-9p9m-jm8w-94p2

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2WJFSBPLCNSZNHYQC4QDRDFRTEZRMD2L/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/R5JZP4LZOSP7CUAM3GIRW6PIAWKH5VGB/

https://github.com/eventlet/eventlet/security/advisories/GHSA-9p9m-jm8w-94p2

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2WJFSBPLCNSZNHYQC4QDRDFRTEZRMD2L/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/R5JZP4LZOSP7CUAM3GIRW6PIAWKH5VGB/