Webargs mishandles concurrent JSON parsing · CVE-2019-9710 · GitHub Advisory Database · GitHub

Webargs mishandles concurrent JSON parsing

High severity GitHub Reviewed Published Mar 12, 2019 to the GitHub Advisory Database • Updated Aug 30, 2023

Package

webargs (pip)

Affected versions

< 5.1.3

Patched versions

5.1.3

Description

An issue was discovered in webargs before 5.1.3, as used with marshmallow and other products. JSON parsing uses a short-lived cache to store the parsed JSON body. This cache is not thread-safe, meaning that incorrect JSON payloads could have been parsed for concurrent requests.

References

Published to the GitHub Advisory Database Mar 12, 2019

Reviewed Jun 16, 2020

Last updated Aug 30, 2023

Severity

High

8.1

/ 10

CVSS base metrics

Attack vector

Network

Attack complexity

High

Privileges required

None

User interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H