CVE-2021-21419

EUVD-2021-0072
Eventlet is a concurrent networking library for Python. A websocket peer may exhaust memory on Eventlet side by sending very large websocket frames. Malicious peer may exhaust memory on Eventlet side by sending highly compressed data frame. A patch in version 0.31.0 restricts websocket frame to reasonable limits. As a workaround, restricting memory usage via OS limits would help against overall machine exhaustion, but there is no workaround to protect Eventlet process.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
5.3 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
GitHub_MCNA
5.3 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Base Score
CVSS 3.x
EPSS Score
Percentile: 26%
Affected Products (NVD)
VendorProductVersion
eventleteventlet
0.10 ≤
𝑥
< 0.31.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
python-eventlet
bookworm
0.33.1-4
fixed
bullseye
0.26.1-7+deb11u1
fixed
buster
no-dsa
sid
0.36.1-7
fixed
stretch
no-dsa
trixie
0.36.1-7
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
python-eventlet
bionic
not-affected
focal
Fixed 0.25.1-2ubuntu1.1
released
groovy
Fixed 0.26.1-0ubuntu1.1
released
hirsute
Fixed 0.30.0-0ubuntu1.1
released
impish
Fixed 0.30.0-0ubuntu2
released
jammy
Fixed 0.30.0-0ubuntu2
released
trusty
dne
xenial
not-affected
Common Weakness Enumeration
References
https://github.com/eventlet/eventlet/security/advisories/GHSA-9p9m-jm8w-94p2
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2WJFSBPLCNSZNHYQC4QDRDFRTEZRMD2L/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/R5JZP4LZOSP7CUAM3GIRW6PIAWKH5VGB/
https://github.com/eventlet/eventlet/security/advisories/GHSA-9p9m-jm8w-94p2
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2WJFSBPLCNSZNHYQC4QDRDFRTEZRMD2L/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/R5JZP4LZOSP7CUAM3GIRW6PIAWKH5VGB/