CVE-2021-21419: Improper Handling of Highly Compressed Data (Data Amplification) and Memory Allocation with Excessive Size Value in eventlet

May 7, 2021 (updated September 20, 2024)

A websocket peer may exhaust memory on Eventlet side by sending very large websocket frames. Malicious peer may exhaust memory on Eventlet side by sending highly compressed data frame.

References

github.com/advisories/GHSA-9p9m-jm8w-94p2
github.com/eventlet/eventlet
github.com/eventlet/eventlet/commit/1412f5e4125b4313f815778a1acb4d3336efcd07
github.com/eventlet/eventlet/security/advisories/GHSA-9p9m-jm8w-94p2
github.com/pypa/advisory-database/tree/main/vulns/eventlet/PYSEC-2021-12.yaml
lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2WJFSBPLCNSZNHYQC4QDRDFRTEZRMD2L
lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/R5JZP4LZOSP7CUAM3GIRW6PIAWKH5VGB
nvd.nist.gov/vuln/detail/CVE-2021-21419

Detect and mitigate CVE-2021-21419 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →