What is the severity of CVE-2021-21419?

CVE-2021-21419 has a medium severity rating due to the potential for memory exhaustion from large websocket frames.

How do I fix CVE-2021-21419?

To fix CVE-2021-21419, upgrade to Eventlet version 0.31.0 or later.

What types of software are affected by CVE-2021-21419?

CVE-2021-21419 affects Eventlet versions prior to 0.31.0, primarily in applications using Python with Eventlet.

Can CVE-2021-21419 be exploited remotely?

Yes, CVE-2021-21419 can be exploited remotely by a malicious websocket peer sending oversized frames.

What is the impact of CVE-2021-21419 on systems?

The impact of CVE-2021-21419 is significant memory exhaustion on the Eventlet side, potentially leading to denial of service.

Vulnerability/
CVE-2021-21419

medium

5.3

CWE

400

6/5/2021

7/5/2021

20/9/2024

CVE-2021-21419: Improper Handling of Highly Compressed Data (Data Amplification) and Memory Allocation with Excessive Size Value in eventlet

First published: Thu May 06 2021(Updated: )

### Impact A websocket peer may exhaust memory on Eventlet side by sending very large websocket frames. Malicious peer may exhaust memory on Eventlet side by sending highly compressed data frame. ### Patches Version 0.31.0 restricts websocket frame to reasonable limits. ### Workarounds Restricting memory usage via OS limits would help against overall machine exhaustion. No workaround to protect Eventlet process. ### For more information If you have any questions or comments about this advisory: * Open an issue in [eventlet](https://github.com/eventlet/eventlet/issues) * Contact current maintainers. At 2021-03: temotor@gmail.com or https://t.me/temotor

Credit: security-advisories@github.com security-advisories@github.com

Affected Software	Affected Version	How to fix
redhat/python-eventlet	<0:0.25.2-4.el8	0:0.25.2-4.el8
redhat/python-eventlet	<0:0.25.2-5.el8	0:0.25.2-5.el8
Eventlet Eventlet	>=0.10<0.31.0
Fedoraproject Fedora	=33
Fedoraproject Fedora	=34
redhat/eventlet	<0.31.0	0.31.0
pip/eventlet	>=0.10<0.31.0	0.31.0
Fedora	=33
Fedora	=34

Never miss a vulnerability like this again

Reference Links

Parent vulnerabilities

(Appears in the following advisories)

Frequently Asked Questions

What is the severity of CVE-2021-21419?
CVE-2021-21419 has a medium severity rating due to the potential for memory exhaustion from large websocket frames.
How do I fix CVE-2021-21419?
To fix CVE-2021-21419, upgrade to Eventlet version 0.31.0 or later.
What types of software are affected by CVE-2021-21419?
CVE-2021-21419 affects Eventlet versions prior to 0.31.0, primarily in applications using Python with Eventlet.
Can CVE-2021-21419 be exploited remotely?
Yes, CVE-2021-21419 can be exploited remotely by a malicious websocket peer sending oversized frames.
What is the impact of CVE-2021-21419 on systems?
The impact of CVE-2021-21419 is significant memory exhaustion on the Eventlet side, potentially leading to denial of service.

collector/redhat-cve
collector/nvd-index
agent/type
agent/first-publish-date
agent/author
agent/softwarecombine
agent/severity
agent/weakness
collector/redhat-bugzilla
source/Red Hat
alias/CVE-2021-21419
agent/software-canonical-lookup
collector/mitre-cve
source/MITRE
agent/title
agent/description
agent/event
collector/github-advisory-latest
source/GitHub
alias/GHSA-9p9m-jm8w-94p2
agent/last-modified-date
agent/references
collector/github-advisory
agent/trending
agent/source
agent/tags
collector/nvd-cve
source/NVD
agent/software-canonical-lookup-request
package-manager/redhat
vendor/eventlet
canonical/eventlet eventlet
version/eventlet eventlet/0.10
vendor/fedoraproject
canonical/fedoraproject fedora
version/fedoraproject fedora/33
version/fedoraproject fedora/34
package-manager/pip
canonical/fedora
version/fedora/33
version/fedora/34