First published: Tue Oct 24 2023(Updated: )
Pallets Werkzeug is vulnerable to a denial of service, caused by a flaw when parsing multipart/form-data containing a large part with CR/LF character at the beginning. By sending a specially crafted request, a remote authenticated attacker could exploit this vulnerability to cause a denial of service condition.
Credit: security-advisories@github.com security-advisories@github.com
Affected Software | Affected Version | How to fix |
---|---|---|
redhat/python-werkzeug | <3.0.1 | 3.0.1 |
IBM Concert Software | <=1.0.0, 1.0.1, 1.0.2, 1.0.2.1 | |
pip/werkzeug | <2.3.8 | 2.3.8 |
pip/werkzeug | >=3.0.0<3.0.1 | 3.0.1 |
Palletsprojects Werkzeug | <2.3.8 | |
Palletsprojects Werkzeug | =3.0.0 | |
<2.3.8 | ||
=3.0.0 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2023-46136 is a vulnerability in the Werkzeug library that allows for a file upload issue.
The impact of CVE-2023-46136 is high, with a severity value of 8, as it allows for potential unauthorized access to uploaded files.
CVE-2023-46136 occurs due to inefficient code in the Werkzeug multipart data parser, which allows for potential boundary parsing issues when uploading files beginning with CR or LF characters.
The affected software version of CVE-2023-46136 is Werkzeug 3.0.0, with version 3.0.1 being the remedy.
To fix CVE-2023-46136, update Werkzeug to version 3.0.1 or higher.