Vulnerability Details CVE-2021-21419
Eventlet is a concurrent networking library for Python. A websocket peer may exhaust memory on Eventlet side by sending very large websocket frames. Malicious peer may exhaust memory on Eventlet side by sending highly compressed data frame. A patch in version 0.31.0 restricts websocket frame to reasonable limits. As a workaround, restricting memory usage via OS limits would help against overall machine exhaustion, but there is no workaround to protect Eventlet process.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.001
EPSS Ranking 28.2%
CVSS Severity
CVSS v3 Score 5.3
CVSS v2 Score 5.0
References
- https://github.com/eventlet/eventlet/security/advisories/GHSA-9p9m-jm8w-94p2
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2WJFSBPLCNSZNHYQC4QDRDFRTEZRMD2L/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/R5JZP4LZOSP7CUAM3GIRW6PIAWKH5VGB/
- https://github.com/eventlet/eventlet/security/advisories/GHSA-9p9m-jm8w-94p2
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2WJFSBPLCNSZNHYQC4QDRDFRTEZRMD2L/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/R5JZP4LZOSP7CUAM3GIRW6PIAWKH5VGB/
Products affected by CVE-2021-21419
-
cpe:2.3:a:eventlet:eventlet:0.10
-
cpe:2.3:a:eventlet:eventlet:0.11
-
cpe:2.3:a:eventlet:eventlet:0.12
-
cpe:2.3:a:eventlet:eventlet:0.13
-
cpe:2.3:a:eventlet:eventlet:0.14
-
cpe:2.3:a:eventlet:eventlet:0.15
-
cpe:2.3:a:eventlet:eventlet:0.15.1
-
cpe:2.3:a:eventlet:eventlet:0.15.2
-
cpe:2.3:a:eventlet:eventlet:0.16
-
cpe:2.3:a:eventlet:eventlet:0.16.1
-
cpe:2.3:a:eventlet:eventlet:0.17
-
cpe:2.3:a:eventlet:eventlet:0.17.1
-
cpe:2.3:a:eventlet:eventlet:0.17.2
-
cpe:2.3:a:eventlet:eventlet:0.17.3
-
cpe:2.3:a:eventlet:eventlet:0.17.4
-
cpe:2.3:a:eventlet:eventlet:0.18.0
-
cpe:2.3:a:eventlet:eventlet:0.18.1
-
cpe:2.3:a:eventlet:eventlet:0.18.2
-
cpe:2.3:a:eventlet:eventlet:0.18.3
-
cpe:2.3:a:eventlet:eventlet:0.18.4
-
cpe:2.3:a:eventlet:eventlet:0.19.0
-
cpe:2.3:a:eventlet:eventlet:0.20.0
-
cpe:2.3:a:eventlet:eventlet:0.20.1
-
cpe:2.3:a:eventlet:eventlet:0.21.0
-
cpe:2.3:a:eventlet:eventlet:0.22.0
-
cpe:2.3:a:eventlet:eventlet:0.22.1
-
cpe:2.3:a:eventlet:eventlet:0.23.0
-
cpe:2.3:a:eventlet:eventlet:0.24.0
-
cpe:2.3:a:eventlet:eventlet:0.24.1
-
cpe:2.3:a:eventlet:eventlet:0.25.0
-
cpe:2.3:a:eventlet:eventlet:0.25.1
-
cpe:2.3:a:eventlet:eventlet:0.25.2
-
cpe:2.3:a:eventlet:eventlet:0.26.0
-
cpe:2.3:a:eventlet:eventlet:0.26.1
-
cpe:2.3:a:eventlet:eventlet:0.27.0
-
cpe:2.3:a:eventlet:eventlet:0.28.0
-
cpe:2.3:a:eventlet:eventlet:0.28.1
-
cpe:2.3:a:eventlet:eventlet:0.29.0
-
cpe:2.3:a:eventlet:eventlet:0.29.1
-
cpe:2.3:a:eventlet:eventlet:0.30.0
-
cpe:2.3:a:eventlet:eventlet:0.30.1
-
cpe:2.3:a:eventlet:eventlet:0.30.2
-
cpe:2.3:a:eventlet:eventlet:0.30.3
-
cpe:2.3:o:fedoraproject:fedora:33
-
cpe:2.3:o:fedoraproject:fedora:34