Vulnerabilites related to eventlet - eventlet
CVE-2023-29483 (GCVE-0-2023-29483)
Vulnerability from cvelistv5
Published
2024-04-11 00:00
Modified
2024-08-27 18:43
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- n/a
Summary
eventlet before 0.35.2, as used in dnspython before 2.6.0, allows remote attackers to interfere with DNS name resolution by quickly sending an invalid packet from the expected IP address and source port, aka a "TuDoor" attack. In other words, dnspython does not have the preferred behavior in which the DNS name resolution algorithm would proceed, within the full time window, in order to wait for a valid packet. NOTE: dnspython 2.6.0 is unusable for a different reason that was addressed in 2.6.1.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T14:07:46.291Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.dnspython.org/"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/rthalley/dnspython/releases/tag/v2.6.0"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/rthalley/dnspython/issues/1045"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.snyk.io/vuln/SNYK-PYTHON-DNSPYTHON-6241713"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/eventlet/eventlet/issues/913"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/eventlet/eventlet/releases/tag/v0.35.2"
},
{
"name": "FEDORA-2024-930af3332f",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VOHJOO3OM65UIUUUVDEXMCTXNM6LXZEH/"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20240510-0001/"
},
{
"name": "FEDORA-2024-bbd76d7c63",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NLRKR57IFVKQC2GCXZBFLCLBAWBWL3F6/"
},
{
"name": "FEDORA-2024-3b4c7849ab",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X3BNSIK5NFYSAP53Y45GOCMOQHHDLGIF/"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:eventlet:eventlet:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "eventlet",
"vendor": "eventlet",
"versions": [
{
"lessThan": "0.35.2",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "2.6.0",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-29483",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-04-11T17:34:51.471510Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-292",
"description": "CWE-292 DEPRECATED: Trusting Self-reported DNS Name",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-27T18:43:46.973Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "eventlet before 0.35.2, as used in dnspython before 2.6.0, allows remote attackers to interfere with DNS name resolution by quickly sending an invalid packet from the expected IP address and source port, aka a \"TuDoor\" attack. In other words, dnspython does not have the preferred behavior in which the DNS name resolution algorithm would proceed, within the full time window, in order to wait for a valid packet. NOTE: dnspython 2.6.0 is unusable for a different reason that was addressed in 2.6.1."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-26T02:06:08.072999",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://www.dnspython.org/"
},
{
"url": "https://github.com/rthalley/dnspython/releases/tag/v2.6.0"
},
{
"url": "https://github.com/rthalley/dnspython/issues/1045"
},
{
"url": "https://security.snyk.io/vuln/SNYK-PYTHON-DNSPYTHON-6241713"
},
{
"url": "https://github.com/eventlet/eventlet/issues/913"
},
{
"url": "https://github.com/eventlet/eventlet/releases/tag/v0.35.2"
},
{
"name": "FEDORA-2024-930af3332f",
"tags": [
"vendor-advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VOHJOO3OM65UIUUUVDEXMCTXNM6LXZEH/"
},
{
"url": "https://security.netapp.com/advisory/ntap-20240510-0001/"
},
{
"name": "FEDORA-2024-bbd76d7c63",
"tags": [
"vendor-advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NLRKR57IFVKQC2GCXZBFLCLBAWBWL3F6/"
},
{
"name": "FEDORA-2024-3b4c7849ab",
"tags": [
"vendor-advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X3BNSIK5NFYSAP53Y45GOCMOQHHDLGIF/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2023-29483",
"datePublished": "2024-04-11T00:00:00",
"dateReserved": "2023-04-07T00:00:00",
"dateUpdated": "2024-08-27T18:43:46.973Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-21419 (GCVE-0-2021-21419)
Vulnerability from cvelistv5
Published
2021-05-07 14:30
Modified
2024-08-03 18:09
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-400 - {"":"Uncontrolled Resource Consumption"}
Summary
Eventlet is a concurrent networking library for Python. A websocket peer may exhaust memory on Eventlet side by sending very large websocket frames. Malicious peer may exhaust memory on Eventlet side by sending highly compressed data frame. A patch in version 0.31.0 restricts websocket frame to reasonable limits. As a workaround, restricting memory usage via OS limits would help against overall machine exhaustion, but there is no workaround to protect Eventlet process.
References
| ► | URL | Tags | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T18:09:16.080Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/eventlet/eventlet/security/advisories/GHSA-9p9m-jm8w-94p2"
},
{
"name": "FEDORA-2021-9fde3d7ab1",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/R5JZP4LZOSP7CUAM3GIRW6PIAWKH5VGB/"
},
{
"name": "FEDORA-2021-d5915c247b",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2WJFSBPLCNSZNHYQC4QDRDFRTEZRMD2L/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "eventlet",
"vendor": "eventlet",
"versions": [
{
"status": "affected",
"version": "\u003e= 0.10, \u003c 0.31.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Eventlet is a concurrent networking library for Python. A websocket peer may exhaust memory on Eventlet side by sending very large websocket frames. Malicious peer may exhaust memory on Eventlet side by sending highly compressed data frame. A patch in version 0.31.0 restricts websocket frame to reasonable limits. As a workaround, restricting memory usage via OS limits would help against overall machine exhaustion, but there is no workaround to protect Eventlet process."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "{\"CWE-400\":\"Uncontrolled Resource Consumption\"}",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-05-25T02:06:13",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/eventlet/eventlet/security/advisories/GHSA-9p9m-jm8w-94p2"
},
{
"name": "FEDORA-2021-9fde3d7ab1",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/R5JZP4LZOSP7CUAM3GIRW6PIAWKH5VGB/"
},
{
"name": "FEDORA-2021-d5915c247b",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2WJFSBPLCNSZNHYQC4QDRDFRTEZRMD2L/"
}
],
"source": {
"advisory": "GHSA-9p9m-jm8w-94p2",
"discovery": "UNKNOWN"
},
"title": "Improper Handling of Highly Compressed Data (Data Amplification) and Memory Allocation with Excessive Size Value in eventlet",
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2021-21419",
"STATE": "PUBLIC",
"TITLE": "Improper Handling of Highly Compressed Data (Data Amplification) and Memory Allocation with Excessive Size Value in eventlet"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "eventlet",
"version": {
"version_data": [
{
"version_value": "\u003e= 0.10, \u003c 0.31.0"
}
]
}
}
]
},
"vendor_name": "eventlet"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Eventlet is a concurrent networking library for Python. A websocket peer may exhaust memory on Eventlet side by sending very large websocket frames. Malicious peer may exhaust memory on Eventlet side by sending highly compressed data frame. A patch in version 0.31.0 restricts websocket frame to reasonable limits. As a workaround, restricting memory usage via OS limits would help against overall machine exhaustion, but there is no workaround to protect Eventlet process."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "{\"CWE-400\":\"Uncontrolled Resource Consumption\"}"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/eventlet/eventlet/security/advisories/GHSA-9p9m-jm8w-94p2",
"refsource": "CONFIRM",
"url": "https://github.com/eventlet/eventlet/security/advisories/GHSA-9p9m-jm8w-94p2"
},
{
"name": "FEDORA-2021-9fde3d7ab1",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/R5JZP4LZOSP7CUAM3GIRW6PIAWKH5VGB/"
},
{
"name": "FEDORA-2021-d5915c247b",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2WJFSBPLCNSZNHYQC4QDRDFRTEZRMD2L/"
}
]
},
"source": {
"advisory": "GHSA-9p9m-jm8w-94p2",
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2021-21419",
"datePublished": "2021-05-07T14:30:12",
"dateReserved": "2020-12-22T00:00:00",
"dateUpdated": "2024-08-03T18:09:16.080Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
Vulnerability from fkie_nvd
Published
2021-05-07 15:15
Modified
2024-11-21 05:48
Severity ?
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Summary
Eventlet is a concurrent networking library for Python. A websocket peer may exhaust memory on Eventlet side by sending very large websocket frames. Malicious peer may exhaust memory on Eventlet side by sending highly compressed data frame. A patch in version 0.31.0 restricts websocket frame to reasonable limits. As a workaround, restricting memory usage via OS limits would help against overall machine exhaustion, but there is no workaround to protect Eventlet process.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| security-advisories@github.com | https://github.com/eventlet/eventlet/security/advisories/GHSA-9p9m-jm8w-94p2 | Third Party Advisory | |
| security-advisories@github.com | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2WJFSBPLCNSZNHYQC4QDRDFRTEZRMD2L/ | ||
| security-advisories@github.com | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/R5JZP4LZOSP7CUAM3GIRW6PIAWKH5VGB/ | ||
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/eventlet/eventlet/security/advisories/GHSA-9p9m-jm8w-94p2 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2WJFSBPLCNSZNHYQC4QDRDFRTEZRMD2L/ | ||
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/R5JZP4LZOSP7CUAM3GIRW6PIAWKH5VGB/ |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| eventlet | eventlet | * | |
| fedoraproject | fedora | 33 | |
| fedoraproject | fedora | 34 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:eventlet:eventlet:*:*:*:*:*:*:*:*",
"matchCriteriaId": "864C8788-0B93-48CE-BF2C-FC598D801748",
"versionEndExcluding": "0.31.0",
"versionStartIncluding": "0.10",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*",
"matchCriteriaId": "E460AA51-FCDA-46B9-AE97-E6676AA5E194",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*",
"matchCriteriaId": "A930E247-0B43-43CB-98FF-6CE7B8189835",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Eventlet is a concurrent networking library for Python. A websocket peer may exhaust memory on Eventlet side by sending very large websocket frames. Malicious peer may exhaust memory on Eventlet side by sending highly compressed data frame. A patch in version 0.31.0 restricts websocket frame to reasonable limits. As a workaround, restricting memory usage via OS limits would help against overall machine exhaustion, but there is no workaround to protect Eventlet process."
},
{
"lang": "es",
"value": "Eventlet es una biblioteca de redes concurrentes para Python.\u0026#xa0;Un peer de websocket puede agotar la memoria en el lado de Eventlet mediante el env\u00edo de tramas de websocket muy grandes.\u0026#xa0;Los peers maliciosos pueden agotar la memoria en el lado de Eventlet mediante el env\u00edo de tramas de datos altamente comprimido.\u0026#xa0;Un parche en la versi\u00f3n 0.31.0 restringe la trama de websocket a l\u00edmites razonables.\u0026#xa0;Como soluci\u00f3n alternativa, restringir el uso de la memoria por medio de los l\u00edmites del sistema operativo ayudar\u00eda contra el agotamiento general de la m\u00e1quina, pero no hay una soluci\u00f3n para proteger el proceso de Eventlet"
}
],
"id": "CVE-2021-21419",
"lastModified": "2024-11-21T05:48:19.403",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-05-07T15:15:07.407",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/eventlet/eventlet/security/advisories/GHSA-9p9m-jm8w-94p2"
},
{
"source": "security-advisories@github.com",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2WJFSBPLCNSZNHYQC4QDRDFRTEZRMD2L/"
},
{
"source": "security-advisories@github.com",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/R5JZP4LZOSP7CUAM3GIRW6PIAWKH5VGB/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/eventlet/eventlet/security/advisories/GHSA-9p9m-jm8w-94p2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2WJFSBPLCNSZNHYQC4QDRDFRTEZRMD2L/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/R5JZP4LZOSP7CUAM3GIRW6PIAWKH5VGB/"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-400"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
Vulnerability from fkie_nvd
Published
2024-04-11 14:15
Modified
2025-06-17 20:50
Severity ?
Summary
eventlet before 0.35.2, as used in dnspython before 2.6.0, allows remote attackers to interfere with DNS name resolution by quickly sending an invalid packet from the expected IP address and source port, aka a "TuDoor" attack. In other words, dnspython does not have the preferred behavior in which the DNS name resolution algorithm would proceed, within the full time window, in order to wait for a valid packet. NOTE: dnspython 2.6.0 is unusable for a different reason that was addressed in 2.6.1.
References
| ▶ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | https://github.com/eventlet/eventlet/issues/913 | Exploit, Issue Tracking | |
| cve@mitre.org | https://github.com/eventlet/eventlet/releases/tag/v0.35.2 | Release Notes | |
| cve@mitre.org | https://github.com/rthalley/dnspython/issues/1045 | Exploit, Issue Tracking | |
| cve@mitre.org | https://github.com/rthalley/dnspython/releases/tag/v2.6.0 | Release Notes | |
| cve@mitre.org | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NLRKR57IFVKQC2GCXZBFLCLBAWBWL3F6/ | Mailing List | |
| cve@mitre.org | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VOHJOO3OM65UIUUUVDEXMCTXNM6LXZEH/ | Mailing List | |
| cve@mitre.org | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X3BNSIK5NFYSAP53Y45GOCMOQHHDLGIF/ | Mailing List | |
| cve@mitre.org | https://security.netapp.com/advisory/ntap-20240510-0001/ | Third Party Advisory | |
| cve@mitre.org | https://security.snyk.io/vuln/SNYK-PYTHON-DNSPYTHON-6241713 | Third Party Advisory | |
| cve@mitre.org | https://www.dnspython.org/ | Product | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/eventlet/eventlet/issues/913 | Exploit, Issue Tracking | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/eventlet/eventlet/releases/tag/v0.35.2 | Release Notes | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/rthalley/dnspython/issues/1045 | Exploit, Issue Tracking | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/rthalley/dnspython/releases/tag/v2.6.0 | Release Notes | |
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NLRKR57IFVKQC2GCXZBFLCLBAWBWL3F6/ | Mailing List | |
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VOHJOO3OM65UIUUUVDEXMCTXNM6LXZEH/ | Mailing List | |
| af854a3a-2127-422b-91ae-364da2661108 | https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X3BNSIK5NFYSAP53Y45GOCMOQHHDLGIF/ | Mailing List | |
| af854a3a-2127-422b-91ae-364da2661108 | https://security.netapp.com/advisory/ntap-20240510-0001/ | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://security.snyk.io/vuln/SNYK-PYTHON-DNSPYTHON-6241713 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.dnspython.org/ | Product |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| eventlet | eventlet | * | |
| dnspython | dnspython | * | |
| fedoraproject | fedora | 38 | |
| fedoraproject | fedora | 39 | |
| fedoraproject | fedora | 40 | |
| netapp | bootstrap_os | - | |
| netapp | hci_compute_node | - |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:eventlet:eventlet:*:*:*:*:*:*:*:*",
"matchCriteriaId": "6A4D34E2-32E0-4D02-9CCE-C51CABE65099",
"versionEndExcluding": "0.35.2",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:dnspython:dnspython:*:*:*:*:*:*:*:*",
"matchCriteriaId": "97627580-395B-4E07-8634-01CB4DC5CD62",
"versionEndExcluding": "2.6.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:*",
"matchCriteriaId": "CC559B26-5DFC-4B7A-A27C-B77DE755DFF9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:fedoraproject:fedora:39:*:*:*:*:*:*:*",
"matchCriteriaId": "B8EDB836-4E6A-4B71-B9B2-AA3E03E0F646",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:fedoraproject:fedora:40:*:*:*:*:*:*:*",
"matchCriteriaId": "CA277A6C-83EC-4536-9125-97B84C4FAF59",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:netapp:bootstrap_os:-:*:*:*:*:*:*:*",
"matchCriteriaId": "95BA156C-C977-4F0C-8DFB-3FAE9CC8C02D",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
},
{
"cpeMatch": [
{
"criteria": "cpe:2.3:h:netapp:hci_compute_node:-:*:*:*:*:*:*:*",
"matchCriteriaId": "AD7447BC-F315-4298-A822-549942FC118B",
"vulnerable": false
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "AND"
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "eventlet before 0.35.2, as used in dnspython before 2.6.0, allows remote attackers to interfere with DNS name resolution by quickly sending an invalid packet from the expected IP address and source port, aka a \"TuDoor\" attack. In other words, dnspython does not have the preferred behavior in which the DNS name resolution algorithm would proceed, within the full time window, in order to wait for a valid packet. NOTE: dnspython 2.6.0 is unusable for a different reason that was addressed in 2.6.1."
},
{
"lang": "es",
"value": "eventlet anterior a 0.35.2, como se usa en dnspython anterior a 2.6.0, permite a atacantes remotos interferir con la resoluci\u00f3n de nombres DNS enviando r\u00e1pidamente un paquete no v\u00e1lido desde la direcci\u00f3n IP y el puerto de origen esperados, tambi\u00e9n conocido como un ataque \"TuDoor\". En otras palabras, dnspython no tiene el comportamiento preferido en el que proceder\u00eda el algoritmo de resoluci\u00f3n de nombres DNS, dentro de la ventana de tiempo completa, para esperar un paquete v\u00e1lido. NOTA: dnspython 2.6.0 no se puede utilizar por un motivo diferente al que se abord\u00f3 en 2.6.1."
}
],
"id": "CVE-2023-29483",
"lastModified": "2025-06-17T20:50:56.137",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.0,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.2,
"impactScore": 4.7,
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
},
"published": "2024-04-11T14:15:12.010",
"references": [
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Issue Tracking"
],
"url": "https://github.com/eventlet/eventlet/issues/913"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes"
],
"url": "https://github.com/eventlet/eventlet/releases/tag/v0.35.2"
},
{
"source": "cve@mitre.org",
"tags": [
"Exploit",
"Issue Tracking"
],
"url": "https://github.com/rthalley/dnspython/issues/1045"
},
{
"source": "cve@mitre.org",
"tags": [
"Release Notes"
],
"url": "https://github.com/rthalley/dnspython/releases/tag/v2.6.0"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NLRKR57IFVKQC2GCXZBFLCLBAWBWL3F6/"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VOHJOO3OM65UIUUUVDEXMCTXNM6LXZEH/"
},
{
"source": "cve@mitre.org",
"tags": [
"Mailing List"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X3BNSIK5NFYSAP53Y45GOCMOQHHDLGIF/"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://security.netapp.com/advisory/ntap-20240510-0001/"
},
{
"source": "cve@mitre.org",
"tags": [
"Third Party Advisory"
],
"url": "https://security.snyk.io/vuln/SNYK-PYTHON-DNSPYTHON-6241713"
},
{
"source": "cve@mitre.org",
"tags": [
"Product"
],
"url": "https://www.dnspython.org/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Issue Tracking"
],
"url": "https://github.com/eventlet/eventlet/issues/913"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://github.com/eventlet/eventlet/releases/tag/v0.35.2"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Exploit",
"Issue Tracking"
],
"url": "https://github.com/rthalley/dnspython/issues/1045"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes"
],
"url": "https://github.com/rthalley/dnspython/releases/tag/v2.6.0"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NLRKR57IFVKQC2GCXZBFLCLBAWBWL3F6/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/VOHJOO3OM65UIUUUVDEXMCTXNM6LXZEH/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/X3BNSIK5NFYSAP53Y45GOCMOQHHDLGIF/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://security.netapp.com/advisory/ntap-20240510-0001/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://security.snyk.io/vuln/SNYK-PYTHON-DNSPYTHON-6241713"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Product"
],
"url": "https://www.dnspython.org/"
}
],
"sourceIdentifier": "cve@mitre.org",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-292"
}
],
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"type": "Secondary"
}
]
}