Update dependency Werkzeug to v3 [SECURITY] #5
Conversation
Micro-Learning Topic: Denial of service (Detected by phrase)Matched on "denial of service"The Denial of Service (DoS) attack is focused on making a resource (site, application, server) unavailable for the purpose it was designed. There are many ways to make a service unavailable for legitimate users by manipulating network packets, programming, logical, or resources handling vulnerabilities, among others. Source: https://www.owasp.org/index.php/Denial_of_Service Try a challenge in Secure Code WarriorMicro-Learning Topic: Resource exhaustion (Detected by phrase)Matched on "resource exhaustion"Allocating objects or timers with user-controlled sizes or durations can cause resource exhaustion. Try a challenge in Secure Code WarriorMicro-Learning Topic: SQL injection (Detected by phrase)Matched on "sqli"This is probably one of the two most exploited vulnerabilities in web applications and has led to a number of high profile company breaches. It occurs when an application fails to sanitize or validate input before using it to dynamically construct a statement. An attacker that exploits this vulnerability will be able to gain access to the underlying database and view or modify data without permission. Try a challenge in Secure Code WarriorHelpful references
|
renovate
bot
force-pushed
the
renovate/pypi-werkzeug-vulnerability
branch
from
d45c1aa to
af68c38
Compare
🔐 Secure Code Review (AI)No eligible code changes. Models can make mistakes. Verify before merging. |
renovate
bot
force-pushed
the
renovate/pypi-werkzeug-vulnerability
branch
12 times, most recently
from
8996e66 to
ceae65d
Compare
renovate
bot
force-pushed
the
renovate/pypi-werkzeug-vulnerability
branch
from
ceae65d to
ffafb9b
Compare
|
This PR contains the following updates:
==0.15.5->==3.0.6GitHub Vulnerability Alerts
CVE-2023-25577
Werkzeug's multipart form data parser will parse an unlimited number of parts, including file parts. Parts can be a small amount of bytes, but each requires CPU time to parse and may use more memory as Python data. If a request can be made to an endpoint that accesses
request.data,request.form,request.files, orrequest.get_data(parse_form_data=False), it can cause unexpectedly high resource usage.This allows an attacker to cause a denial of service by sending crafted multipart data to an endpoint that will parse it. The amount of CPU time required can block worker processes from handling legitimate requests. The amount of RAM required can trigger an out of memory kill of the process. Unlimited file parts can use up memory and file handles. If many concurrent requests are sent continuously, this can exhaust or kill all available workers.
CVE-2023-23934
Browsers may allow "nameless" cookies that look like
=valueinstead ofkey=value. A vulnerable browser may allow a compromised application on an adjacent subdomain to exploit this to set a cookie like=__Host-test=badfor another subdomain.Werkzeug <= 2.2.2 will parse the cookie
=__Host-test=badas__Host-test=bad. If a Werkzeug application is running next to a vulnerable or malicious subdomain which sets such a cookie using a vulnerable browser, the Werkzeug application will see the bad cookie value but the valid cookie key.CVE-2023-46136
Werkzeug multipart data parser needs to find a boundary that may be between consecutive chunks. That's why parsing is based on looking for newline characters. Unfortunately, code looking for partial boundary in the buffer is written inefficiently, so if we upload a file that starts with CR or LF and then is followed by megabytes of data without these characters: all of these bytes are appended chunk by chunk into internal bytearray and lookup for boundary is performed on growing buffer.
This allows an attacker to cause a denial of service by sending crafted multipart data to an endpoint that will parse it. The amount of CPU time required can block worker processes from handling legitimate requests. The amount of RAM required can trigger an out of memory kill of the process. If many concurrent requests are sent continuously, this can exhaust or kill all available workers.
CVE-2024-34069
The debugger in affected versions of Werkzeug can allow an attacker to execute code on a developer's machine under some circumstances. This requires the attacker to get the developer to interact with a domain and subdomain they control, and enter the debugger PIN, but if they are successful it allows access to the debugger even if it is only running on localhost. This also requires the attacker to guess a URL in the developer's application that will trigger the debugger.
CVE-2024-49766
On Python < 3.11 on Windows,
os.path.isabs()does not catch UNC paths like//server/share. Werkzeug'ssafe_join()relies on this check, and so can produce a path that is not safe, potentially allowing unintended access to data. Applications using Python >= 3.11, or not using Windows, are not vulnerable.CVE-2024-49767
Applications using Werkzeug to parse
multipart/form-datarequests are vulnerable to resource exhaustion. A specially crafted form body can bypass theRequest.max_form_memory_sizesetting.The
Request.max_content_lengthsetting, as well as resource limits provided by deployment software and platforms, are also available to limit the resources used during a request. This vulnerability does not affect those settings. All three types of limits should be considered and set appropriately when deploying an application.Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.