Workflow

PyPi: Werkzeug

CVE-2023-23934

Safety vulnerability ID: 53326

This vulnerability was reviewed by experts

The information on this page was manually curated by our Cybersecurity Intelligence Team.

Created at Feb 14, 2023 Updated at May 05, 2024
Scan your Python projects for vulnerabilities →

Advisory

Werkzeug 2.2.3 includes a fix for CVE-2023-23934: Browsers may allow "nameless" cookies that look like '=value' instead of 'key=value'. A vulnerable browser may allow a compromised application on an adjacent subdomain to exploit this to set a cookie like '=__Host-test=bad' for another subdomain. Werkzeug prior to 2.2.3 will parse the cookie '=__Host-test=bad' as __Host-test=bad'. If a Werkzeug application is running next to a vulnerable or malicious subdomain which sets such a cookie using a vulnerable browser, the Werkzeug application will see the bad cookie value but the valid cookie key.
https://github.com/pallets/werkzeug/security/advisories/GHSA-px8h-6qxv-m22q

Affected package

werkzeug

Latest version: 3.0.3

The comprehensive WSGI web application library.

Affected versions

Fixed versions

Vulnerability changelog

-------------

Released 2023-02-14

- Ensure that URL rules using path converters will redirect with strict slashes when
the trailing slash is missing. :issue:`2533`
- Type signature for ``get_json`` specifies that return type is not optional when
``silent=False``. :issue:`2508`
- ``parse_content_range_header`` returns ``None`` for a value like ``bytes */-1``
where the length is invalid, instead of raising an ``AssertionError``. :issue:`2531`
- Address remaining ``ResourceWarning`` related to the socket used by ``run_simple``.
Remove ``prepare_socket``, which now happens when creating the server. :issue:`2421`
- Update pre-existing headers for ``multipart/form-data`` requests with the test
client. :issue:`2549`
- Fix handling of header extended parameters such that they are no longer quoted.
:issue:`2529`
- ``LimitedStream.read`` works correctly when wrapping a stream that may not return
the requested size in one ``read`` call. :issue:`2558`
- A cookie header that starts with ``=`` is treated as an empty key and discarded,
rather than stripping the leading ``==``.
- Specify a maximum number of multipart parts, default 1000, after which a
``RequestEntityTooLarge`` exception is raised on parsing. This mitigates a DoS
attack where a larger number of form/file parts would result in disproportionate
resource use.

Resources

Use this package?

Scan your Python project for dependency vulnerabilities in two minutes

Scan your application

Severity Details

CVSS Base Score

LOW 3.5

CVSS v3 Details

LOW 3.5
Attack Vector (AV)
ADJACENT_NETWORK
Attack Complexity (AC)
LOW
Privileges Required (PR)
NONE
User Interaction (UI)
REQUIRED
Scope (S)
UNCHANGED
Confidentiality Impact (C)
NONE
Integrity Impact (I)
LOW
Availability Availability (A)
NONE