Bug 1211993 (CVE-2023-30798)

Summary: VUL-0: CVE-2023-30798: python-starlette: excessive memory usage
Product: [openSUSE] openSUSE Distribution Reporter: Gabriele Sonnu <gabriele.sonnu>
Component: SecurityAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: E-mail List <qa-bugs>
Severity: Major    
Priority: P5 - None CC: security-team
Version: Leap 15.4   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/364211/
Whiteboard:
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Gabriele Sonnu 2023-06-05 07:27:46 UTC 
CVE-2023-30798

There MultipartParser usage in Encode's Starlette python framework before
versions 0.25.0 allows an unauthenticated and remote attacker to specify any
number of form fields or files which can cause excessive memory usage resulting
in denial of service of the HTTP service.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-30798
https://bugzilla.redhat.com/show_bug.cgi?id=2211688
https://www.cve.org/CVERecord?id=CVE-2023-30798
https://github.com/encode/starlette/commit/8c74c2c8dba7030154f8af18e016136bea1938fa
https://github.com/encode/starlette/security/advisories/GHSA-74m5-2c7w-9w3x
https://vulncheck.com/advisories/starlette-multipartparser-dos
Comment 1 Gabriele Sonnu 2023-06-05 07:29:54 UTC 
Already fixed, closing.