You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Introduced through
locust@2.14.2
Fixed in
werkzeug@3.0.1
Exploit maturity
No known exploit
Detailed paths and remediation
Introduced through: project@0.0.0 › locust@2.14.2 › werkzeug@2.2.3
Fix: Pin werkzeug to version 3.0.1
Introduced through: project@0.0.0 › locust@2.14.2 › flask@2.2.5 › werkzeug@2.2.3
Fix: Pin werkzeug to version 3.0.1
Introduced through: project@0.0.0 › locust@2.14.2 › flask-basicauth@0.2.0 › flask@2.2.5 › werkzeug@2.2.3
Fix: Pin werkzeug to version 3.0.1
…and 1 more
Security information
Factors contributing to the scoring:
Snyk: [CVSS 6.5](https://security.snyk.io/vuln/SNYK-PYTHON-WERKZEUG-6035177) - Medium Severity
NVD: Not available. NVD has not yet published its analysis.
Why are the scores different? Learn how Snyk evaluates vulnerability scores
Overview
Affected versions of this package are vulnerable to Inefficient Algorithmic Complexity in multipart data parsing. An attacker can cause a denial of service and block worker processes from handling legitimate requests by sending crafted multipart data to an endpoint that will parse it, eventually exhausting or killing all available workers.
Exploiting this vulnerability is possible if the uploaded file starts with CR or LF and is followed by megabytes of data without these characters.
Action items: (This is lower prioirity buyt can be handled with other werkzeug issue)
Verify this is still a vulnerability, or update ticket to reflect this is not an issue and close
Address by pinning werkzeug to version 3.0.1
Completion criteria:
Vulnerability no longer appearing in snyk
The text was updated successfully, but these errors were encountered:
Introduced through
locust@2.14.2
Fixed in
werkzeug@3.0.1
Detailed paths and remediation
Introduced through: project@0.0.0 › locust@2.14.2 › flask@2.2.5 › werkzeug@2.2.3
Fix: Pin werkzeug to version 3.0.1
Introduced through: project@0.0.0 › locust@2.14.2 › flask-basicauth@0.2.0 › flask@2.2.5 › werkzeug@2.2.3
Fix: Pin werkzeug to version 3.0.1
…and 1 more
Security information
Factors contributing to the scoring:
Why are the scores different? Learn how Snyk evaluates vulnerability scores
Overview
Affected versions of this package are vulnerable to Inefficient Algorithmic Complexity in multipart data parsing. An attacker can cause a denial of service and block worker processes from handling legitimate requests by sending crafted multipart data to an endpoint that will parse it, eventually exhausting or killing all available workers.
Exploiting this vulnerability is possible if the uploaded file starts with CR or LF and is followed by megabytes of data without these characters.
Action items: (This is lower prioirity buyt can be handled with other werkzeug issue)
Completion criteria:
The text was updated successfully, but these errors were encountered: