search

Seagate / seagate-tools

Seagate-tools stores source codes of tools such as PerfPro, PerfLine, etc. These tools are developed and used by the Engineering team to boost team productivity.
GNU Affero General Public License v3.0
12 stars 18 forks source link

CVE-2023-23934 (Low) detected in Werkzeug-2.0.3-py3-none-any.whl, Werkzeug-2.2.2-py3-none-any.whl #601

Closed mend-for-github-com[bot] closed 7 months ago

mend-for-github-com[bot] commented 1 year ago

CVE-2023-23934 - Low Severity Vulnerability

Vulnerable Libraries - Werkzeug-2.0.3-py3-none-any.whl, Werkzeug-2.2.2-py3-none-any.whl

Werkzeug-2.0.3-py3-none-any.whl

The comprehensive WSGI web application library.

Library home page: https://files.pythonhosted.org/packages/f4/f3/22afbdb20cc4654b10c98043414a14057cd27fdba9d4ae61cea596000ba2/Werkzeug-2.0.3-py3-none-any.whl

Path to dependency file: /dashboards/cortx-companion/requirements.txt

Path to vulnerable library: /dashboards/cortx-companion/requirements.txt,/dashboards/cortx-companion/requirements.txt

Dependency Hierarchy: - :x: **Werkzeug-2.0.3-py3-none-any.whl** (Vulnerable Library)

Werkzeug-2.2.2-py3-none-any.whl

The comprehensive WSGI web application library.

Library home page: https://files.pythonhosted.org/packages/c8/27/be6ddbcf60115305205de79c29004a0c6bc53cec814f733467b1bb89386d/Werkzeug-2.2.2-py3-none-any.whl

Path to dependency file: /dashboards/perf-rest/requirements.txt

Path to vulnerable library: /dashboards/perf-rest/requirements.txt

Dependency Hierarchy: - flask_restx-0.5.1-py2.py3-none-any.whl (Root Library) - :x: **Werkzeug-2.2.2-py3-none-any.whl** (Vulnerable Library)

Found in HEAD commit: 8cb5c624d5223f1adadc936267c5b99613c1073f

Found in base branch: main

Vulnerability Details

Werkzeug is a comprehensive WSGI web application library. Browsers may allow "nameless" cookies that look like `=value` instead of `key=value`. A vulnerable browser may allow a compromised application on an adjacent subdomain to exploit this to set a cookie like `=__Host-test=bad` for another subdomain. Werkzeug prior to 2.2.3 will parse the cookie `=__Host-test=bad` as __Host-test=bad`. If a Werkzeug application is running next to a vulnerable or malicious subdomain which sets such a cookie using a vulnerable browser, the Werkzeug application will see the bad cookie value but the valid cookie key. The issue is fixed in Werkzeug 2.2.3.

Publish Date: 2023-02-14

URL: CVE-2023-23934

CVSS 3 Score Details (3.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Adjacent - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: Low - Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-23934

Release Date: 2023-02-14

Fix Resolution: Werkzeug - 2.2.3

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.

shailesh-vaidya commented 7 months ago

Closing as an obsolete