---- ------- -------------- ------------ --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Flask 0.5 PYSEC-2019-179 1.0 The Pallets Project Flask before 1.0 is affected by: unexpected memory usage. The impact is: denial of service. The attack vector is: crafted encoded JSON data. The fixed version is: 1\\. NOTE: this may overlap CVE-2018-1000656.
Flask 0.5 PYSEC-2018-66 0.12.3 The Pallets Project flask version Before 0.12.3 contains a CWE-20: Improper Input Validation vulnerability in flask that can result in Large amount of memory usage possibly leading to denial of service. This attack appear to be exploitable via Attacker provides JSON data in incorrect encoding. This vulnerability appears to have been fixed in 0.12.3\\. NOTE: this may overlap CVE-2019-1010083.
审计JSON格式依赖:
$ pip-audit -f json | jq
Found 2 known vulnerabilities in 1 package
[
{
\"name\": \"flask\"
\"version\": \"0.5\"
\"vulns\": [
{
\"id\": \"PYSEC-2019-179\"
\"fix_versions\": [
\"1.0\"
\"description\": \"The Pallets Project Flask before 1.0 is affected by: unexpected memory usage. The impact is: denial of service. The attack vector is: crafted encoded JSON data. The fixed version is: 1\\. NOTE: this may overlap CVE-2018-1000656.\"
{
\"id\": \"PYSEC-2018-66\"
\"fix_versions\": [
\"0.12.3\"
\"description\": \"The Pallets Project flask version Before 0.12.3 contains a CWE-20: Improper Input Validation vulnerability in flask that can result in Large amount of memory usage possibly leading to denial of service. This attack appear to be exploitable via Attacker provides JSON data in incorrect encoding. This vulnerability appears to have been fixed in 0.12.3\\. NOTE: this may overlap CVE-2019-1010083.\"
{
\"name\": \"jinja2\"
\"version\": \"3.0.2\"
\"vulns\": [
{
\"name\": \"pip\"
\"version\": \"21.3.1\"
\"vulns\": [
{
\"name\": \"setuptools\"
\"version\": \"57.4.0\"
\"vulns\": [
{
\"name\": \"werkzeug\"
\"version\": \"2.0.2\"
\"vulns\": [
{
\"name\": \"markupsafe\"
\"version\": \"2.0.1\"
\"vulns\": [
审计并尝试自动审计存在漏洞的依赖:
【一>所有资源关注我 , 私信回复\"资料\"获取<一】
1、网络安全学习路线
2、电子书籍(白帽子)
3、安全大厂内部视频
4、100份src文档
5、常见安全面试题
6、ctf大赛经典题目解析
7、全套工具包
8、应急响应笔记
$ pip-audit --fix
Found 2 known vulnerabilities in 1 package and fixed 2 vulnerabilities in 1 package
Name Version ID Fix Versions Applied Fix
----- ------- -------------- ------------ ----------------------------------------
flask 0.5 PYSEC-2019-179 1.0 Successfully upgraded flask (0.5 => 1.0)
flask 0.5 PYSEC-2018-66 0.12.3 Successfully upgraded flask (0.5 => 1.0)
- 仓库|跨境电商海外仓:FBA退货换标业务介绍与功能设计
- MIUI|超多阉割!升级MIUI 13后,这些功能彻底没了
- CPU|Intel要推CPU氪金:花钱解锁额外功能、Linux内核率先支持
- Windows11|Windows 11版“您的手机”应用将更新! 任务栏新功能截图曝光
- 奥睿科|内置硬盘盒功能的奥睿科9合一扩展坞拆解点评
- |内存拓展功能千万别开?别听网友忽悠,怕杀后台就得打开
- 删除|懒人科技,新Android系统一项功能使在床上阅读更容易一些
- 飞利浦·斯塔克|选购洗衣机时,建议这三种功能慎选,多半是噱头,用处不大
- nas|ORICO上线多盘位NAS产品,多功能加持,小白也能轻松搭建
- 安卓|安卓13系统正式发布:7款机型抢先升级!重磅功能智能提速CPU加入