[Snyk: Med] werkzeug Inefficient Algorithmic Complexity (Due 12/31/23) #5636
Comments
cnlucas
added
Security: moderate
|
With current werkzeug version 2.2.3 upload and download functionality work OK. We don't support uploading/downloading files that start with CL and LR. Big change in werkzeug version 2.3: Passing bytes is deprecated and support will be removed in Werkzeug 3.0. I recently updated Werkzeug to version 2.3.0 and observed that the functionality for uploading legal documents to Elasticsearch is functioning properly. However, I encountered an issue in the downloads and download task process where the query string is being encoded/decoded into a bytestring. It's worth noting that Werkzeug no longer supports byte conversion starting from version 2.3 onwards. For now i am going to ignore this vulnerability in snyk (for 90 days) while we research how to upgrade werkzeug without impacting the downloads and download task |
Introduced through
werkzeug@2.2.3, flask@2.2.5 and others
Fixed in
werkzeug@3.0.1
Detailed paths and remediation
Introduced through: project@0.0.0 › flask@2.2.5 › werkzeug@2.2.3
Fix: Pin werkzeug to version 3.0.1
Introduced through: project@0.0.0 › flask-apispec@0.11.4 › flask@2.2.5 › werkzeug@2.2.3
Fix: Pin werkzeug to version 3.0.1
…and 3 more
Security information
Factors contributing to the scoring:
Why are the scores different? Learn how Snyk evaluates vulnerability scores
Overview
Affected versions of this package are vulnerable to Inefficient Algorithmic Complexity in multipart data parsing. An attacker can cause a denial of service and block worker processes from handling legitimate requests by sending crafted multipart data to an endpoint that will parse it, eventually exhausting or killing all available workers.
Exploiting this vulnerability is possible if the uploaded file starts with CR or LF and is followed by megabytes of data without these characters.
Action items:
Completion criteria:
The text was updated successfully, but these errors were encountered: