Alerts This Week
Warning Icon 1 764
Alerts This Week
Warning Icon 1 764

Debian 10: DLA-3346-1 Moderate: Python-Werkzeug Denial Of Service

debian lts
Calendar Grey February 27, 2023
Dist Debian Esm H88
Ubuntu Security Notice USN-1234-1 details essential patches for python-routes to address vulnerabilities related to input validation and potential remote execution threats.
Two vulnerabilities were discovered in Werkzeug, a collection of utilities for WSGI (web) applications
Topics%20covered

Topics Covered

security advisory Debian DoS python-werkzeug cookie injection resource usage waas

Summary

CVE-2023-23934

Werkzeug will parse the cookie `=__Host-test=bad` as
__Host-test=bad`. If a Werkzeug application is running next to a
vulnerable or malicious subdomain which sets such a cookie using a
vulnerable browser, the Werkzeug application will see the bad
cookie value but the valid cookie key. Browsers may allow
"nameless" cookies that look like `=value` instead of
`key=value`. A vulnerable browser may allow a compromised
application on an adjacent subdomain to exploit this to set a
cookie like `=__Host-test=bad` for another subdomain.

CVE-2023-25577

Werkzeug's multipart form data parser will parse an unlimited
number of parts, including file parts. Parts can be a small amount
of bytes, but each requires CPU time to parse and may use more
memory as Python data. If a request can be made to an endpoint
that accesses `request.data`, `request.form`, `request.files`, or
`request.get_data(parse_form_data=False)`, it can cause

Read the Full Advisory


Package: python-werkzeug
Version: 0.14.1+dfsg1-4+deb10u2
CVE ID: CVE-2023-23934 CVE-2023-25577
Debian Bug: 1031370

Topics%20covered

Topics Covered

security advisory Debian DoS python-werkzeug cookie injection resource usage waas

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here