PYSEC-2017-93

See a problem?

Import Source

https://github.com/pypa/advisory-database/blob/main/vulns/priority/PYSEC-2017-93.yaml

JSON Data

https://api.test.osv.dev/v1/vulns/PYSEC-2017-93

Aliases

Published

2017-01-10T15:59:00Z

Modified

2024-08-30T23:57:22.774061Z

Summary

[none]

Details

A HTTP/2 implementation built using any version of the Python priority library prior to version 1.2.0 could be targeted by a malicious peer by having that peer assign priority information for every possible HTTP/2 stream ID. The priority tree would happily continue to store the priority information for each stream, and would therefore allocate unbounded amounts of memory. Attempting to actually use a tree like this would also cause extremely high CPU usage to maintain the tree.

References

Affected packages

PyPI / priority

Package

Name: priority; View open source insights on deps.dev
Purl: pkg:pypi/priority

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.2.0

Affected versions

0.*

0.0.1

1.*

1.0.0

1.1.0

1.1.1