cortx-admin
commented
2 years ago For the convenience of the Seagate development team, this issue has been mirrored in a private Seagate Jira Server: https://jts.seagate.com/browse/CORTX-31714. Note that community members will not be able to access that Jira server but that is not a problem since all activity in that Jira mirror will be copied into this GitHub issue.
mend-for-github-com[bot]
CVE-2022-29361 - High Severity Vulnerability
The comprehensive WSGI web application library.
Library home page: https://files.pythonhosted.org/packages/cc/94/5f7079a0e00bd6863ef8f1da638721e9da21e5bacee597595b318f71d62e/Werkzeug-1.0.1-py2.py3-none-any.whl
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt,/libs/csm/csm,/requirements.txt,/switch
Dependency Hierarchy: - :x: **Werkzeug-1.0.1-py2.py3-none-any.whl** (Vulnerable Library)
Found in HEAD commit: 2a86195797b4352c780fa88a5a2cf3dfea63af99
Found in base branch: main
** DISPUTED ** Improper parsing of HTTP requests in Pallets Werkzeug v2.1.0 and below allows attackers to perform HTTP Request Smuggling using a crafted HTTP request with multiple requests included inside the body. NOTE: the vendor's position is that this behavior can only occur in unsupported configurations involving development mode and an HTTP server from outside the Werkzeug project.
Publish Date: 2022-05-25
URL: CVE-2022-29361
Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High
For more information on CVSS3 Scores, click here.Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29361
Release Date: 2022-05-25
Fix Resolution: Werkzeug - 2.1.1
:rescue_worker_helmet: Automatic Remediation is available for this issue