Werkzeug is a Web Server Gateway Interface web application library. Applications using `werkzeug.formparser.MultiPartParser` corresponding to a version of Werkzeug prior to 3.0.6 to parse `multipart/form-data` requests (e.g. all flask applications) are vulnerable to a relatively simple but effective resource exhaustion (denial of service) attack. A specifically crafted form submission request can cause the parser to allocate and block 3 to 8 times the upload size in main memory. There is no upper limit; a single upload at 1 Gbit/s can exhaust 32 GB of RAM in less than 60 seconds. Werkzeug version 3.0.6 fixes this issue.
Werkzeug is a Web Server Gateway Interface web application library. On Python < 3.11 on Windows, os.path.isabs() does not catch UNC paths like //server/share. Werkzeug's safe_join() relies on this check, and so can produce a path that is not safe, potentially allowing unintended access to data. Applications using Python >= 3.11, or not using Windows, are not vulnerable. Werkzeug version 3.0.6 contains a patch.
srikanthjg
commented
1 month ago
The comprehensive WSGI web application library.
Library home page: https://files.pythonhosted.org/packages/9d/6e/e792999e816d19d7fcbfa94c730936750036d65656a76a5a688b57a656c4/werkzeug-3.0.3-py3-none-any.whl
Path to dependency file: /examples/trace-analytics-sample-app/sample-app/requirements.txt
Path to vulnerable library: /examples/trace-analytics-sample-app/sample-app/requirements.txt
Found in HEAD commit: 675864d120e8f88deeee2b341254353c827e06de
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2024-49767
### Vulnerable Library - werkzeug-3.0.3-py3-none-any.whlThe comprehensive WSGI web application library.
Library home page: https://files.pythonhosted.org/packages/9d/6e/e792999e816d19d7fcbfa94c730936750036d65656a76a5a688b57a656c4/werkzeug-3.0.3-py3-none-any.whl
Path to dependency file: /examples/trace-analytics-sample-app/sample-app/requirements.txt
Path to vulnerable library: /examples/trace-analytics-sample-app/sample-app/requirements.txt
Dependency Hierarchy: - :x: **werkzeug-3.0.3-py3-none-any.whl** (Vulnerable Library)
Found in HEAD commit: 675864d120e8f88deeee2b341254353c827e06de
Found in base branch: main
### Vulnerability DetailsWerkzeug is a Web Server Gateway Interface web application library. Applications using `werkzeug.formparser.MultiPartParser` corresponding to a version of Werkzeug prior to 3.0.6 to parse `multipart/form-data` requests (e.g. all flask applications) are vulnerable to a relatively simple but effective resource exhaustion (denial of service) attack. A specifically crafted form submission request can cause the parser to allocate and block 3 to 8 times the upload size in main memory. There is no upper limit; a single upload at 1 Gbit/s can exhaust 32 GB of RAM in less than 60 seconds. Werkzeug version 3.0.6 fixes this issue.
Publish Date: 2024-10-25
URL: CVE-2024-49767
### CVSS 3 Score Details (7.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/pallets/werkzeug/security/advisories/GHSA-q34m-jh98-gwm2
Release Date: 2024-10-25
Fix Resolution: quart - 0.19.7;werkzeug - 3.0.6
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2024-49766
### Vulnerable Library - werkzeug-3.0.3-py3-none-any.whlThe comprehensive WSGI web application library.
Library home page: https://files.pythonhosted.org/packages/9d/6e/e792999e816d19d7fcbfa94c730936750036d65656a76a5a688b57a656c4/werkzeug-3.0.3-py3-none-any.whl
Path to dependency file: /examples/trace-analytics-sample-app/sample-app/requirements.txt
Path to vulnerable library: /examples/trace-analytics-sample-app/sample-app/requirements.txt
Dependency Hierarchy: - :x: **werkzeug-3.0.3-py3-none-any.whl** (Vulnerable Library)
Found in HEAD commit: 675864d120e8f88deeee2b341254353c827e06de
Found in base branch: main
### Vulnerability DetailsWerkzeug is a Web Server Gateway Interface web application library. On Python < 3.11 on Windows, os.path.isabs() does not catch UNC paths like //server/share. Werkzeug's safe_join() relies on this check, and so can produce a path that is not safe, potentially allowing unintended access to data. Applications using Python >= 3.11, or not using Windows, are not vulnerable. Werkzeug version 3.0.6 contains a patch.
Publish Date: 2024-10-25
URL: CVE-2024-49766
### CVSS 3 Score Details (3.7)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Origin: https://github.com/pallets/werkzeug/security/advisories/GHSA-f9vj-2wh5-fj8j
Release Date: 2024-10-25
Fix Resolution: Werkzeug - 3.0.6
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.:rescue_worker_helmet:Automatic Remediation will be attempted for this issue.