You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Introduced through
werkzeug@2.2.3, flask@2.2.5 and others
Fixed in
werkzeug@3.0.1
Exploit maturity
No known exploit
Detailed paths and remediation
Introduced through: project@0.0.0 › werkzeug@2.2.3
Fix: Upgrade werkzeug to version 3.0.1
Introduced through: project@0.0.0 › flask@2.2.5 › werkzeug@2.2.3
Fix: Pin werkzeug to version 3.0.1
Introduced through: project@0.0.0 › flask-apispec@0.11.4 › flask@2.2.5 › werkzeug@2.2.3
Fix: Pin werkzeug to version 3.0.1
…and 3 more
Security information
Factors contributing to the scoring:
Snyk: [CVSS 6.5](https://security.snyk.io/vuln/SNYK-PYTHON-WERKZEUG-6035177) - Medium Severity
NVD: Not available. NVD has not yet published its analysis.
Why are the scores different? Learn how Snyk evaluates vulnerability scores
Overview
Affected versions of this package are vulnerable to Inefficient Algorithmic Complexity in multipart data parsing. An attacker can cause a denial of service and block worker processes from handling legitimate requests by sending crafted multipart data to an endpoint that will parse it, eventually exhausting or killing all available workers.
Exploiting this vulnerability is possible if the uploaded file starts with CR or LF and is followed by megabytes of data without these characters.
Action items:
Verify this is still a vulnerability, or update ticket to reflect this is not an issue and close
Address by pinning werkzeug to version 3.0.1
Completion criteria:
Vulnerability no longer appearing in snyk
The text was updated successfully, but these errors were encountered:
With current werkzeug version 2.2.3 upload and download functionality work OK. We don't support uploading/downloading files that start with CL and LR. Big change in werkzeug version 2.3: Passing bytes is deprecated and support will be removed in Werkzeug 3.0.
I recently updated Werkzeug to version 2.3.0 and observed that the functionality for uploading legal documents to Elasticsearch is functioning properly. However, I encountered an issue in the downloads and download task process where the query string is being encoded/decoded into a bytestring. It's worth noting that Werkzeug no longer supports byte conversion starting from version 2.3 onwards.
For now i am going to ignore this vulnerability in snyk (for 90 days) while we research how to upgrade werkzeug without impacting the downloads and download task
Introduced through
werkzeug@2.2.3, flask@2.2.5 and others
Fixed in
werkzeug@3.0.1
Detailed paths and remediation
Introduced through: project@0.0.0 › flask@2.2.5 › werkzeug@2.2.3
Fix: Pin werkzeug to version 3.0.1
Introduced through: project@0.0.0 › flask-apispec@0.11.4 › flask@2.2.5 › werkzeug@2.2.3
Fix: Pin werkzeug to version 3.0.1
…and 3 more
Security information
Factors contributing to the scoring:
Why are the scores different? Learn how Snyk evaluates vulnerability scores
Overview
Affected versions of this package are vulnerable to Inefficient Algorithmic Complexity in multipart data parsing. An attacker can cause a denial of service and block worker processes from handling legitimate requests by sending crafted multipart data to an endpoint that will parse it, eventually exhausting or killing all available workers.
Exploiting this vulnerability is possible if the uploaded file starts with CR or LF and is followed by megabytes of data without these characters.
Action items:
Completion criteria:
The text was updated successfully, but these errors were encountered: