advisory-database/vulns/pydantic/PYSEC-2021-47.yaml at b09bd481a9ab762113a6cf6754eb329dec055e73 · pypa/advisory-database · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
id: PYSEC-2021-47
details: 'Pydantic is a data validation and settings management using Python type
  hinting. In affected versions passing either `''infinity''`, `''inf''` or `float(''inf'')`
  (or their negatives) to `datetime` or `date` fields causes validation to run forever
  with 100% CPU usage (on one CPU). Pydantic has been patched with fixes available
  in the following versions: v1.8.2, v1.7.4, v1.6.2. All these versions are available
  on pypi(https://pypi.org/project/pydantic/#history), and will be available on conda-forge(https://anaconda.org/conda-forge/pydantic)
  soon. See the changelog(https://pydantic-docs.helpmanual.io/) for details. If you
  absolutely can''t upgrade, you can work around this risk using a validator(https://pydantic-docs.helpmanual.io/usage/validators/)
  to catch these values. This is not an ideal solution (in particular you''ll need
  a slightly different function for datetimes), instead of a hack like this you should
  upgrade pydantic. If you are not using v1.8.x, v1.7.x or v1.6.x and are unable to
  upgrade to a fixed version of pydantic, please create an issue at https://github.com/samuelcolvin/pydantic/issues
  requesting a back-port, and we will endeavour to release a patch for earlier versions
  of pydantic.'
affected:
- package:
    name: pydantic
    ecosystem: PyPI
    purl: pkg:pypi/pydantic
  ranges:
  - type: GIT
    repo: https://github.com/samuelcolvin/pydantic
    events:
    - introduced: "0"
    - fixed: 7e83fdd2563ffac081db7ecdf1affa65ef38c468
  - type: ECOSYSTEM
    events:
    - introduced: "0"
    - fixed: 1.6.2
    - introduced: "1.7"
    - fixed: 1.7.4
    - introduced: "1.8"
    - fixed: 1.8.2
  versions:
  - 0.0.1
  - 0.0.2
  - 0.0.3
  - 0.0.4
  - 0.0.5
  - 0.0.6
  - 0.0.7
  - 0.0.8
  - "0.1"
  - "0.2"
  - 0.2.1
  - "0.3"
  - "0.4"
  - "0.5"
  - "0.6"
  - 0.6.1
  - 0.6.2
  - 0.6.3
  - 0.6.4
  - "0.7"
  - 0.7.1
  - "0.8"
  - "0.9"
  - 0.9.1
  - "0.10"
  - "0.11"
  - 0.11.1
  - 0.11.2
  - "0.12"
  - 0.12.1
  - "0.13"
  - 0.13.1
  - "0.14"
  - "0.15"
  - "0.16"
  - 0.16.1
  - "0.17"
  - "0.18"
  - 0.18.1
  - 0.18.2
  - "0.19"
  - 0.20a1
  - "0.20"
  - 0.20.1
  - "0.21"
  - "0.22"
  - "0.23"
  - "0.24"
  - "0.25"
  - "0.26"
  - 0.27a1
  - "0.27"
  - "0.28"
  - "0.29"
  - "0.30"
  - 0.30.1
  - "0.31"
  - 0.31.1
  - "0.32"
  - 0.32.1
  - 0.32.2
  - 1.0b1
  - 1.0b2
  - "1.0"
  - "1.1"
  - 1.1.1
  - "1.2"
  - "1.3"
  - "1.4"
  - "1.5"
  - 1.5.1
  - "1.6"
  - 1.6.1
  - "1.7"
  - 1.7.1
  - 1.7.2
  - 1.7.3
  - "1.8"
  - 1.8.1
references:
- type: ADVISORY
  url: https://github.com/samuelcolvin/pydantic/security/advisories/GHSA-5jqp-qgf6-3pvh
- type: FIX
  url: https://github.com/samuelcolvin/pydantic/commit/7e83fdd2563ffac081db7ecdf1affa65ef38c468
aliases:
- CVE-2021-29510
- GHSA-5jqp-qgf6-3pvh
modified: "2021-05-13T19:15:00Z"
published: "2021-05-13T19:15:00Z"