Bug 1216581 (CVE-2023-46136)

Summary: VUL-0: CVE-2023-46136: python-Werkzeug: denial of service by sending crafted multipart data to an endpoint
Product: [Novell Products] SUSE Security Incidents Reporter: SMASH SMASH <smash_bz>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Major    
Priority: P3 - Medium CC: abergmann, camila.matos, jsrain, steven.kowalik, stoyan.manolov
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/382981/
Whiteboard: CVSSv3.1:SUSE:CVE-2023-46136:7.5:(AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description SMASH SMASH 2023-10-26 04:55:46 UTC 
Werkzeug is a comprehensive WSGI web application library. If an upload of a file that starts with CR or LF and then is followed by megabytes of data without these characters: all of these bytes are appended chunk by chunk into internal bytearray and lookup for boundary is performed on growing buffer. This allows an attacker to cause a denial of service by sending crafted multipart data to an endpoint that will parse it. The amount of CPU time required can block worker processes from handling legitimate requests. This vulnerability has been patched in version 3.0.1.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-46136
Comment 2 Steve Kowalik 2023-10-27 03:09:40 UTC 
Factory is also impacted. I've updated it there first.
Comment 4 OBSbugzilla Bot 2023-10-27 04:35:03 UTC 
This is an autogenerated message for OBS integration:
This bug (1216581) was mentioned in
https://build.opensuse.org/request/show/1120656 Factory / python-Werkzeug
Comment 5 Maintenance Automation 2023-10-31 12:30:51 UTC 
SUSE-SU-2023:4288-1: An update that solves one vulnerability can now be installed.

Category: security (important)
Bug References: 1216581
CVE References: CVE-2023-46136
Sources used:
openSUSE Leap 15.4 (src): python-Werkzeug-2.3.6-150400.6.6.1, python-Werkzeug-test-2.3.6-150400.6.6.1
openSUSE Leap 15.5 (src): python-Werkzeug-2.3.6-150400.6.6.1
Python 3 Module 15-SP4 (src): python-Werkzeug-2.3.6-150400.6.6.1
Python 3 Module 15-SP5 (src): python-Werkzeug-2.3.6-150400.6.6.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.