CVE-2021-32838 : Flask-RESTX (pypi package flask-restx) is a community driven fork of Flask-RESTP

Flask-RESTX (pypi package flask-restx) is a community driven fork of Flask-RESTPlus. Flask-RESTX before version 0.5.1 is vulnerable to ReDoS (Regular Expression Denial of Service) in email_regex. This is fixed in version 0.5.1.

Published 2021-09-20 18:15:11

Updated 2021-09-30 19:23:15

Source GitHub, Inc.

View at NVD, CVE.org

Vulnerability category: Denial of service

Products affected by CVE-2021-32838

Fedoraproject » Fedora » Version: 33
cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*
Matching versions
Fedoraproject » Fedora » Version: 34
cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*
Matching versions
Flask-restx Project » Flask-restx » For Python
Versions before (<) 0.5.1
cpe:2.3:a:flask-restx_project:flask-restx:*:*:*:*:*:python:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2021-32838

EPSS FAQ

1.37%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 79 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2021-32838

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
5.0	MEDIUM	AV:N/AC:L/Au:N/C:N/I:N/A:P	10.0	2.9	NIST
Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: None Integrity Impact: None Availability Impact: Partial
7.5	HIGH	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H	3.9	3.6	GitHub, Inc.
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: None Integrity: None Availability: High

CWE ids for CVE-2021-32838

CWE-400 Uncontrolled Resource Consumption

The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

Assigned by: security-advisories@github.com (Primary)

References for CVE-2021-32838

https://github.com/python-restx/flask-restx/commit/bab31e085f355dd73858fd3715f7ed71849656da

optimize email regex (credits: @kevinbackhouse, fix: #372) · python-restx/flask-restx@bab31e0 · GitHub
Patch;Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/5UCTFVDU3677B5OBGK4EF5NMUPJLL6SQ/

[SECURITY] Fedora 34 Update: python-flask-restx-0.3.0-2.fc34 - package-announce - Fedora Mailing-Lists
Mailing List;Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QUD6SWZLX52AAZUHDETJ2CDMQGEPGFL3/

[SECURITY] Fedora 33 Update: python-flask-restx-0.2.0-4.fc33 - package-announce - Fedora Mailing-Lists
Mailing List;Third Party Advisory
https://pypi.org/project/flask-restx/

flask-restx · PyPI
Product;Third Party Advisory
https://github.com/python-restx/flask-restx/issues/372

GHSL-2021-123 · Issue #372 · python-restx/flask-restx · GitHub
Issue Tracking;Patch;Third Party Advisory
https://github.com/advisories/GHSA-3q6g-vf58-7m4g

Regular Expression Denial of Service in flask-restx · CVE-2021-32838 · GitHub Advisory Database · GitHub
Third Party Advisory
https://github.com/python-restx/flask-restx/blob/fd99fe11a88531f5f3441a278f7020589f9d2cc0/flask_restx/inputs.py#L51

flask-restx/inputs.py at fd99fe11a88531f5f3441a278f7020589f9d2cc0 · python-restx/flask-restx · GitHub
Patch;Third Party Advisory

Jump to

Vulnerability Details : CVE-2021-32838

Products affected by CVE-2021-32838

Exploit prediction scoring system (EPSS) score for CVE-2021-32838

CVSS scores for CVE-2021-32838

CWE ids for CVE-2021-32838

References for CVE-2021-32838