Опубликовано: 12 мар. 2019
Источник: github
Github: Прошло ревью
CVSS4: 8.2
CVSS3: 8.1
Описание
Webargs mishandles concurrent JSON parsing
An issue was discovered in webargs before 5.1.3, as used with marshmallow and other products. JSON parsing uses a short-lived cache to store the parsed JSON body. This cache is not thread-safe, meaning that incorrect JSON payloads could have been parsed for concurrent requests.
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2019-9710
- https://github.com/marshmallow-code/webargs/issues/371
- https://github.com/marshmallow-code/webargs/pull/373
- https://github.com/marshmallow-code/webargs/commit/716bd8d1f24c84aaf99170efaa17d1d34206f6c0
- https://github.com/pypa/advisory-database/tree/main/vulns/webargs/PYSEC-2019-139.yaml
- https://webargs.readthedocs.io/en/latest/changelog.html
- https://webargs.readthedocs.io/en/latest/changelog.html#id24
Пакеты
Наименование
webargs
pip
Затронутые версииВерсия исправления
< 5.1.3
5.1.3
Связанные уязвимости
CVSS3: 8.1
nvd
почти 7 лет назад
An issue was discovered in webargs before 5.1.3, as used with marshmallow and other products. JSON parsing uses a short-lived cache to store the parsed JSON body. This cache is not thread-safe, meaning that incorrect JSON payloads could have been parsed for concurrent requests.