Miggo Logo
Miggo Vulnerability Database
CVE-2021-28667

CVE-2021-28667: StackStorm st2 Infinite Loop Condition

7.5

CVSS Score
3.1

Basic Information

CVE ID
CVE-2021-28667
GHSA ID
GHSA-39mj-fpg2-3jrg
EPSS Score
0.70449%
CWE
CWE-835
Published
5/24/2022
Updated
8/7/2023
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
st2clientpip< 3.4.13.4.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from StackStorm's custom logging handler for stderr data. The advisory and blog post describe a scenario where byte string decoding in logging enters an infinite loop under specific locale conditions. The _handle_stderr_line function is explicitly mentioned in StackStorm's post-mortem as the location where decoding logic was modified to strip non-ASCII characters, confirming its role in the vulnerability. The file path is inferred from standard StackStorm logging configuration patterns and the nature of the fix described.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

St**kStorm ***or* *.*.*, in som* situ*tions, **s *n in*init* loop t**t *onsum*s *ll *v*il**l* m*mory *n* *isk sp***. T*is **n o**ur i* Pyt*on *.x is us**, t** lo**l* is not ut*-*, *n* t**r* is *n *tt*mpt to lo* Uni*o** **t* (*rom *n **tion or rul* n*

Reasoning

T** vuln*r**ility st*ms *rom St**kStorm's *ustom lo**in* **n*l*r *or st**rr **t*. T** **visory *n* *lo* post **s*ri** * s**n*rio w**r* *yt* strin* ***o*in* in lo**in* *nt*rs *n in*init* loop un**r sp**i*i* lo**l* *on*itions. T** _**n*l*_st**rr_lin* *