Skip to content
Commits on Source (2)
  • Salvatore Bonaccorso's avatar
    Clarify state for CVE-2018-1000656 and CVE-2019-1010083 in flask · a7b41295
    Salvatore Bonaccorso authored 
    Unfortunately upstream remained silend on questions back. And the scope
of CVE-2019-1010083, which was assigned by DWF CNA, remains unclear. It
only reference the 1.0 upstream release. It might be duplicate of
CVE-2018-1000656 or not. It might as well just refer to a incomplete fix
for CVE-2018-1000656 which was released in 1.0.

MITRE decided thus to only add a note of "may overlap" for it as per the
above it is very unclear for which scope CVE-2019-1010083 was assigned.
    a7b41295
  • Salvatore Bonaccorso's avatar
    Mark CVE-2019-1010083/flask as no-dsa · fb98f5be
    Salvatore Bonaccorso authored
    fb98f5be
Show whitespace changes
Inline Side-by-side
data/CVE/list
View file @ fb98f5be
......@@ -17080,8 +17080,16 @@ CVE-2019-1010084 (Dancer::Plugin::SimpleCRUD 1.14 and earlier is affected by: In
NOT-FOR-US: Dancer::Plugin::SimpleCRUD
CVE-2019-1010083 (The Pallets Project Flask before 1.0 is affected by: unexpected memory ...)
- flask 1.0.2-1
[stretch] - flask <no-dsa> (Minor issue)
NOTE: https://www.palletsprojects.com/blog/flask-1-0-released/
NOTE: https://github.com/pallets/flask/pull/2691/commits/ab4142215d836b0298fc47fa1e4b75408b9c37a0
NOTE: After communication with MITRE, this CVE *might* overlap CVE-2018-1000656.
NOTE: CVE-2019-1010083 was back then assigned by the DWF CNA, but the exact scope
NOTE: of the CVE is unclear and might for instance be for an incomplete fix of
NOTE: CVE-2018-1000656. As such it was only noted with a "may overlap". The
NOTE: CVE-2019-1010083 only refers to the 1.0 release announcement and it is
NOTE: guaranteed that it relates as well to pull request 2691. Upstream itself did
NOTE: not comment on direct pings/questions back.
CVE-2019-1010082
RESERVED
CVE-2019-1010081