Bugzilla – Bug 1216581
VUL-0: CVE-2023-46136: python-Werkzeug: denial of service by sending crafted multipart data to an endpoint
Last modified: 2024-05-03 17:28:15 UTC
Werkzeug is a comprehensive WSGI web application library. If an upload of a file that starts with CR or LF and then is followed by megabytes of data without these characters: all of these bytes are appended chunk by chunk into internal bytearray and lookup for boundary is performed on growing buffer. This allows an attacker to cause a denial of service by sending crafted multipart data to an endpoint that will parse it. The amount of CPU time required can block worker processes from handling legitimate requests. This vulnerability has been patched in version 3.0.1. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-46136
Factory is also impacted. I've updated it there first.
This is an autogenerated message for OBS integration: This bug (1216581) was mentioned in https://build.opensuse.org/request/show/1120656 Factory / python-Werkzeug
SUSE-SU-2023:4288-1: An update that solves one vulnerability can now be installed. Category: security (important) Bug References: 1216581 CVE References: CVE-2023-46136 Sources used: openSUSE Leap 15.4 (src): python-Werkzeug-2.3.6-150400.6.6.1, python-Werkzeug-test-2.3.6-150400.6.6.1 openSUSE Leap 15.5 (src): python-Werkzeug-2.3.6-150400.6.6.1 Python 3 Module 15-SP4 (src): python-Werkzeug-2.3.6-150400.6.6.1 Python 3 Module 15-SP5 (src): python-Werkzeug-2.3.6-150400.6.6.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.