Описание
Marshmallow is a lightweight library for converting complex objects to and from simple Python datatypes. In versions from 3.0.0rc1 to before 3.26.2 and from 4.0.0 to before 4.1.2, Schema.load(data, many=True) is vulnerable to denial of service attacks. A moderately sized request can consume a disproportionate amount of CPU time. This issue has been patched in version 3.26.2 and 4.1.2.
A flaw was found in Marshmallow. A remote attacker could exploit a vulnerability in the Schema.load(data, many=True) function by sending a moderately sized request. This could lead to a denial of service (DoS) due to the disproportionate consumption of CPU time, making the system unavailable to legitimate users.
Отчет
This vulnerability is rated Moderate. Applications within Ansible Automation Platform 2.4 and 2.5 that utilize python-marshmallow or python3.11-marshmallow to process untrusted input with Schema.load(data, many=True) may experience a denial of service. This can lead to a disproportionate consumption of CPU resources, impacting system availability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Ansible Automation Platform 2 | python3.11-marshmallow | Fix deferred | ||
| Red Hat Ansible Automation Platform 2 | python-marshmallow | Fix deferred |
Показывать по
Дополнительная информация
Статус:
6.5 Medium
CVSS3
Связанные уязвимости
Marshmallow is a lightweight library for converting complex objects to and from simple Python datatypes. In versions from 3.0.0rc1 to before 3.26.2 and from 4.0.0 to before 4.1.2, Schema.load(data, many=True) is vulnerable to denial of service attacks. A moderately sized request can consume a disproportionate amount of CPU time. This issue has been patched in version 3.26.2 and 4.1.2.
Marshmallow is a lightweight library for converting complex objects to and from simple Python datatypes. In versions from 3.0.0rc1 to before 3.26.2 and from 4.0.0 to before 4.1.2, Schema.load(data, many=True) is vulnerable to denial of service attacks. A moderately sized request can consume a disproportionate amount of CPU time. This issue has been patched in version 3.26.2 and 4.1.2.
Marshmallow is a lightweight library for converting complex objects to ...
6.5 Medium
CVSS3