CVE-2023-46136: Werkzeug vulnerable to high resource usage when parsing multipart/form-data containing a large part with CR/LF character at the beginning
First published: Tue Oct 24 2023(Updated: )
Pallets Werkzeug is vulnerable to a denial of service, caused by a flaw when parsing multipart/form-data containing a large part with CR/LF character at the beginning. By sending a specially crafted request, a remote authenticated attacker could exploit this vulnerability to cause a denial of service condition.
Credit: security-advisories@github.com security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| pip/werkzeug | <2.3.8 | 2.3.8 |
| pip/werkzeug | >=3.0.0<3.0.1 | 3.0.1 |
| Palletsprojects Werkzeug | <2.3.8 | |
| Palletsprojects Werkzeug | =3.0.0 | |
| redhat/python-werkzeug | <3.0.1 | 3.0.1 |
| IBM Concert Software | <=1.0.0, 1.0.1, 1.0.2, 1.0.2.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/pallets/werkzeug/commit/f3c803b3ade485a45f12b6d6617595350c0f03e2
- https://github.com/pallets/werkzeug/security/advisories/GHSA-hrfv-mqp8-q5rw
- https://security.netapp.com/advisory/ntap-20231124-0008/
- https://github.com/pallets/werkzeug/commit/b1916c0c083e0be1c9d887ee2f3d696922bfc5c1
- https://nvd.nist.gov/vuln/detail/CVE-2023-46136
- https://github.com/pypa/advisory-database/tree/main/vulns/werkzeug/PYSEC-2023-221.yaml
- https://github.com/pallets/werkzeug/commit/f2300208d5e2a5076cbbb4c2aad71096fd040ef9
- https://github.com/advisories/GHSA-hrfv-mqp8-q5rw (Advisory)
- https://access.redhat.com/errata/RHSA-2023:7477
- https://access.redhat.com/errata/RHSA-2023:7473
- https://access.redhat.com/errata/RHSA-2023:7610
- https://access.redhat.com/errata/RHSA-2024:0214
- https://access.redhat.com/errata/RHSA-2024:0189
- https://bugzilla.redhat.com/show_bug.cgi?id=2246310
- https://www.ibm.com/support/pages/node/7176346 (Advisory)
- https://security.netapp.com/advisory/ntap-20231124-0008
Frequently Asked Questions
What is CVE-2023-46136?
CVE-2023-46136 is a vulnerability in the Werkzeug library that allows for a file upload issue.
What is the impact of CVE-2023-46136?
The impact of CVE-2023-46136 is high, with a severity value of 8, as it allows for potential unauthorized access to uploaded files.
How does CVE-2023-46136 work?
CVE-2023-46136 occurs due to inefficient code in the Werkzeug multipart data parser, which allows for potential boundary parsing issues when uploading files beginning with CR or LF characters.
What is the affected software version of CVE-2023-46136?
The affected software version of CVE-2023-46136 is Werkzeug 3.0.0, with version 3.0.1 being the remedy.
How can I fix CVE-2023-46136?
To fix CVE-2023-46136, update Werkzeug to version 3.0.1 or higher.
- collector/github-advisory
- alias/GHSA-hrfv-mqp8-q5rw
- alias/CVE-2023-46136
- agent/author
- agent/type
- agent/first-publish-date
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/remedy
- agent/title
- agent/weakness
- agent/event
- agent/severity
- agent/description
- collector/redhat-bugzilla
- source/Red Hat
- collector/mitre-cve
- source/MITRE
- collector/ibm-support
- source/IBM
- agent/softwarecombine
- collector/github-advisory-latest
- source/GitHub
- agent/references
- agent/last-modified-date
- agent/tags
- collector/nvd-cve
- package-manager/pip
- vendor/palletsprojects
- canonical/palletsprojects werkzeug
- version/palletsprojects werkzeug/3.0.0
- package-manager/redhat
- vendor/ibm
- canonical/ibm concert software
- version/ibm concert software/1.0.0, 1.0.1, 1.0.2, 1.0.2.1