CVE-2018-12679 — CoAPthon3 vulnerable to Deserialization of Untrusted Data

Description

The Serialize.deserialize() method in CoAPthon3 1.0 and 1.0.1 mishandles certain exceptions, leading to a denial of service in applications that use this library (e.g., the standard CoAP server, CoAP client, example collect CoAP server and client) when they receive crafted CoAP messages.

How to fix CVE-2018-12679

No fixed version has been published yet. Mitigate by removing the affected package or applying upstream guidance from the references below.

—no fix listed
—no fix listed

Is CVE-2018-12679 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, <= 1.0.1
>= 1.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
osv	CVSS 3.1	HIGH7.5	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References (5)

ADVISORYgithub.com/advisories/GHSA-c6fm-rgw4-8q73
ADVISORYnvd.nist.gov/vuln/detail/CVE-2018-12679
PATCHgithub.com/Tanganelli/CoAPthon3
WEBgithub.com/pypa/advisory-database/tree/main/vulns/coapthon3/PYSEC-2019-166.yaml
WEB