GHSA-3qj8-93xh-pwh2

Опубликовано: 21 апр. 2023

Источник: github

Github: Прошло ревью

CVSS3: 7.5

Описание

Duplicate Advisory: Starlette allows an unauthenticated and remote attacker to specify any number of form fields or files

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-74m5-2c7w-9w3x. This link is maintained to preserve external references.

Original Description

There MultipartParser usage in Encode's Starlette python framework before versions 0.25.0 allows an unauthenticated and remote attacker to specify any number of form fields or files which can cause excessive memory usage resulting in denial of service of the HTTP service.

Ссылки

https://github.com/encode/starlette/security/advisories/GHSA-74m5-2c7w-9w3x
https://nvd.nist.gov/vuln/detail/CVE-2023-30798
https://github.com/encode/starlette/commit/8c74c2c8dba7030154f8af18e016136bea1938fa
https://vulncheck.com/advisories/starlette-multipartparser-dos

Пакеты

Наименование

starlette

pip

Затронутые версииВерсия исправления

< 0.25.0

0.25.0

7.5 High

CVSS3

Дефекты

CWE-400

7.5 High

CVSS3

Дефекты

CWE-400