CVE-2023-23934 - Low Severity Vulnerability
Vulnerable Library - Werkzeug-0.16.0-py2.py3-none-any.whl
The comprehensive WSGI web application library.
Library home page: https://files.pythonhosted.org/packages/ce/42/3aeda98f96e85fd26180534d36570e4d18108d62ae36f87694b476b83d6f/Werkzeug-0.16.0-py2.py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt,/examples/python-service/requirements.txt,/libs/kubos-service/requirements.txt
Dependency Hierarchy:
- Flask-GraphQL-1.4.1.tar.gz (Root Library)
- Flask-0.12.2-py2.py3-none-any.whl
- ❌ Werkzeug-0.16.0-py2.py3-none-any.whl (Vulnerable Library)
Found in HEAD commit: db707e1ad78200b4e097c322fcbbb737d795b84a
Found in base branch: master
Vulnerability Details
Werkzeug is a comprehensive WSGI web application library. Browsers may allow "nameless" cookies that look like =value instead of key=value. A vulnerable browser may allow a compromised application on an adjacent subdomain to exploit this to set a cookie like =__Host-test=bad for another subdomain. Werkzeug prior to 2.2.3 will parse the cookie =__Host-test=bad as __Host-test=bad`. If a Werkzeug application is running next to a vulnerable or malicious subdomain which sets such a cookie using a vulnerable browser, the Werkzeug application will see the bad cookie value but the valid cookie key. The issue is fixed in Werkzeug 2.2.3.
Publish Date: 2023-02-14
URL: CVE-2023-23934
CVSS 3 Score Details (3.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Adjacent
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-23934
Release Date: 2023-02-14
Fix Resolution (Werkzeug): 2.2.3
Direct dependency fix Resolution (Flask-GraphQL): 2.0.0
Step up your Open Source Security Game with Mend here
CVE-2023-23934 - Low Severity Vulnerability
The comprehensive WSGI web application library.
Library home page: https://files.pythonhosted.org/packages/ce/42/3aeda98f96e85fd26180534d36570e4d18108d62ae36f87694b476b83d6f/Werkzeug-0.16.0-py2.py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt,/examples/python-service/requirements.txt,/libs/kubos-service/requirements.txt
Dependency Hierarchy:
Found in HEAD commit: db707e1ad78200b4e097c322fcbbb737d795b84a
Found in base branch: master
Werkzeug is a comprehensive WSGI web application library. Browsers may allow "nameless" cookies that look like
=valueinstead ofkey=value. A vulnerable browser may allow a compromised application on an adjacent subdomain to exploit this to set a cookie like=__Host-test=badfor another subdomain. Werkzeug prior to 2.2.3 will parse the cookie=__Host-test=badas __Host-test=bad`. If a Werkzeug application is running next to a vulnerable or malicious subdomain which sets such a cookie using a vulnerable browser, the Werkzeug application will see the bad cookie value but the valid cookie key. The issue is fixed in Werkzeug 2.2.3.Publish Date: 2023-02-14
URL: CVE-2023-23934
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Adjacent
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-23934
Release Date: 2023-02-14
Fix Resolution (Werkzeug): 2.2.3
Direct dependency fix Resolution (Flask-GraphQL): 2.0.0
Step up your Open Source Security Game with Mend here