The Pallets Project Flask before 1.0 is affected by: unexpected memory usage. The impact is: denial of service. The attack vector is: crafted encoded JSON data. The fixed version is: 1. NOTE: this may overlap CVE-2018-1000656. Reference: https://www.palletsprojects.com/blog/flask-1-0-released/
Created python-flask tracking bugs for this issue: Affects: epel-6 [bug 1888008]
External References: https://palletsprojects.com/blog/flask-1-0-released/ https://snyk.io/vuln/SNYK-PYTHON-FLASK-451637
Upstream PR: https://github.com/pallets/flask/pull/2691 Upstream PR backport: https://github.com/pallets/flask/pull/2695
Red Hat Quay is using Flask 1.1.1 which is not affected by this issue.
Note that the version shipped in AppStream (python3-flask-0.12.2-4) contains the fix for this. It is the equivalent of upstream version 0.12.4, I didn't rebase because some of the upstream changes to their doc build system were incompatible with RHEL 8.
Statement: Red Hat Satellite 6.5 ships an affected version of python-flask. However, the product is not vulnerable since the data component Crane receives from pulp_docker repository metadata with JSON uses UTF-8 encoding by default. Other supported versions of the Satellite are not affected by this vulnerability. Note: CVE-2019-1010083 is a duplicate of the flaw in CVE-2018-1000656. However, the 2019 flaw identifies newer affected products.
I've marked python-flask unaffected for Red Hat Enterprise Linux 7 (RHEL7) and Red Hat Enterprise Linux 8 (RHEL8) because RHEL7's python-flask was already patched the first time this was reported in [1] and the new version info does not add a new affect that was different from BZ#1623131 in regards to rhel8. 1. https://access.redhat.com/errata/RHSA-2020:0870