[Snyk: Med] werkzeug Inefficient Algorithmic Complexity (Due 12/31/23)

[cnlucas]

Introduced through
locust@2.14.2
Fixed in
werkzeug@3.0.1

Exploit maturity
No known exploit

Detailed paths and remediation

Introduced through: project@0.0.0 › locust@2.14.2 › werkzeug@2.2.3
Fix: Pin werkzeug to version 3.0.1

Introduced through: project@0.0.0 › locust@2.14.2 › flask@2.2.5 › werkzeug@2.2.3
Fix: Pin werkzeug to version 3.0.1
Introduced through: project@0.0.0 › locust@2.14.2 › flask-basicauth@0.2.0 › flask@2.2.5 › werkzeug@2.2.3
Fix: Pin werkzeug to version 3.0.1

…and 1 more
Security information
Factors contributing to the scoring:

Snyk: [CVSS 6.5](https://security.snyk.io/vuln/SNYK-PYTHON-WERKZEUG-6035177) - Medium Severity
NVD: Not available. NVD has not yet published its analysis.

Why are the scores different? Learn how Snyk evaluates vulnerability scores
Overview

Affected versions of this package are vulnerable to Inefficient Algorithmic Complexity in multipart data parsing. An attacker can cause a denial of service and block worker processes from handling legitimate requests by sending crafted multipart data to an endpoint that will parse it, eventually exhausting or killing all available workers.

Exploiting this vulnerability is possible if the uploaded file starts with CR or LF and is followed by megabytes of data without these characters.

Action items: (This is lower prioirity buyt can be handled with other werkzeug issue)

• Verify this is still a vulnerability, or update ticket to reflect this is not an issue and close
• Address by pinning werkzeug to version 3.0.1

Completion criteria:

• Vulnerability no longer appearing in snyk

[cnlucas]

This is for requirements-dev

[pkfec]

see ##5636