CVE-2021-21419

CVSS v4.0

6.9

Medium

Vector

AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions Eventlet versions prior to 0.31.0

Description The issue is related to the handling of large websocket frames in the Eventlet library, which can lead to memory exhaustion. A malicious peer can exploit this by sending highly compressed data frames, potentially causing a denial of service. The estimated number of potentially affected devices is not provided.

Recommendations For versions prior to 0.31.0, update to version 0.31.0 to restrict websocket frames to reasonable limits. As a temporary workaround, consider restricting memory usage via OS limits to help against overall machine exhaustion, although this will not protect the Eventlet process itself.

Fix

Resource Exhaustion

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-400

Related Identifiers

BDU:2021-04421

CVE-2021-21419

GHSA-9P9M-JM8W-94P2

MGASA-2021-0266

PYSEC-2021-12

RHSA-2021:2437

RHSA-2021:5071

SUSE-SU-2021:2554-1

SUSE-SU-2021:3729-1

USN-4956-1

Affected Products

Astra Linux

Eventlet

Linuxmint

Ubuntu

CVE-2021-21419

Weakness Enumeration

Related Identifiers

Affected Products

References · 88