Seagate-tools stores source codes of tools such as PerfPro, PerfLine, etc. These tools are developed and used by the Engineering team to boost team productivity.
GNU Affero General Public License v3.0
12
stars
18
forks
source link
CVE-2023-23934 (Low) detected in Werkzeug-2.0.3-py3-none-any.whl, Werkzeug-2.2.2-py3-none-any.whl #601
Werkzeug is a comprehensive WSGI web application library. Browsers may allow "nameless" cookies that look like `=value` instead of `key=value`. A vulnerable browser may allow a compromised application on an adjacent subdomain to exploit this to set a cookie like `=__Host-test=bad` for another subdomain. Werkzeug prior to 2.2.3 will parse the cookie `=__Host-test=bad` as __Host-test=bad`. If a Werkzeug application is running next to a vulnerable or malicious subdomain which sets such a cookie using a vulnerable browser, the Werkzeug application will see the bad cookie value but the valid cookie key. The issue is fixed in Werkzeug 2.2.3.
CVE-2023-23934 - Low Severity Vulnerability
Vulnerable Libraries - Werkzeug-2.0.3-py3-none-any.whl, Werkzeug-2.2.2-py3-none-any.whl
Werkzeug-2.0.3-py3-none-any.whl
The comprehensive WSGI web application library.
Library home page: https://files.pythonhosted.org/packages/f4/f3/22afbdb20cc4654b10c98043414a14057cd27fdba9d4ae61cea596000ba2/Werkzeug-2.0.3-py3-none-any.whl
Path to dependency file: /dashboards/cortx-companion/requirements.txt
Path to vulnerable library: /dashboards/cortx-companion/requirements.txt,/dashboards/cortx-companion/requirements.txt
Dependency Hierarchy: - :x: **Werkzeug-2.0.3-py3-none-any.whl** (Vulnerable Library)
Werkzeug-2.2.2-py3-none-any.whl
The comprehensive WSGI web application library.
Library home page: https://files.pythonhosted.org/packages/c8/27/be6ddbcf60115305205de79c29004a0c6bc53cec814f733467b1bb89386d/Werkzeug-2.2.2-py3-none-any.whl
Path to dependency file: /dashboards/perf-rest/requirements.txt
Path to vulnerable library: /dashboards/perf-rest/requirements.txt
Dependency Hierarchy: - flask_restx-0.5.1-py2.py3-none-any.whl (Root Library) - :x: **Werkzeug-2.2.2-py3-none-any.whl** (Vulnerable Library)
Found in HEAD commit: 8cb5c624d5223f1adadc936267c5b99613c1073f
Found in base branch: main
Vulnerability Details
Werkzeug is a comprehensive WSGI web application library. Browsers may allow "nameless" cookies that look like `=value` instead of `key=value`. A vulnerable browser may allow a compromised application on an adjacent subdomain to exploit this to set a cookie like `=__Host-test=bad` for another subdomain. Werkzeug prior to 2.2.3 will parse the cookie `=__Host-test=bad` as __Host-test=bad`. If a Werkzeug application is running next to a vulnerable or malicious subdomain which sets such a cookie using a vulnerable browser, the Werkzeug application will see the bad cookie value but the valid cookie key. The issue is fixed in Werkzeug 2.2.3.
Publish Date: 2023-02-14
URL: CVE-2023-23934
CVSS 3 Score Details (3.5)
Base Score Metrics: - Exploitability Metrics: - Attack Vector: Adjacent - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-23934
Release Date: 2023-02-14
Fix Resolution: Werkzeug - 2.2.3
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.