CoAPthon3 vulnerable to Deserialization of Untrusted Data · CVE-2018-12679 · GitHub Advisory Database · GitHub

CoAPthon3 vulnerable to Deserialization of Untrusted Data

High severity GitHub Reviewed Published Apr 8, 2019 to the GitHub Advisory Database • Updated Jan 11, 2023

Package

CoAPthon3 (pip)

Affected versions

<= 1.0.1

Patched versions

None

Description

The Serialize.deserialize() method in CoAPthon3 1.0 and 1.0.1 mishandles certain exceptions, leading to a denial of service in applications that use this library (e.g., the standard CoAP server, CoAP client, example collect CoAP server and client) when they receive crafted CoAP messages.

References

Published to the GitHub Advisory Database Apr 8, 2019

Reviewed Jun 16, 2020

Last updated Jan 11, 2023

Severity

High

7.5

/ 10

CVSS base metrics

Attack vector

Network

Attack complexity

Low

Privileges required

None

User interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H