You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Path to dependency file: /encryption-on-the-fly/requirements.txt
Path to vulnerable library: /teSource-ArchiveExtractor_747dfafb-5007-43bc-af58-18b19f548702/20190702203809_87843/20190702203750_depth_0/Werkzeug-0.15.4-py2.py3-none-any/werkzeug
Werkzeug is a comprehensive WSGI web application library. Browsers may allow "nameless" cookies that look like =value instead of key=value. A vulnerable browser may allow a compromised application on an adjacent subdomain to exploit this to set a cookie like =__Host-test=bad for another subdomain. Werkzeug prior to 2.2.3 will parse the cookie =__Host-test=bad as __Host-test=bad`. If a Werkzeug application is running next to a vulnerable or malicious subdomain which sets such a cookie using a vulnerable browser, the Werkzeug application will see the bad cookie value but the valid cookie key. The issue is fixed in Werkzeug 2.2.3.
CVE-2023-23934 - Low Severity Vulnerability
Vulnerable Library - Werkzeug-0.15.4-py2.py3-none-any.whl
The comprehensive WSGI web application library.
Library home page: https://files.pythonhosted.org/packages/9f/57/92a497e38161ce40606c27a86759c6b92dd34fcdb33f64171ec559257c02/Werkzeug-0.15.4-py2.py3-none-any.whl
Path to dependency file: /encryption-on-the-fly/requirements.txt
Path to vulnerable library: /teSource-ArchiveExtractor_747dfafb-5007-43bc-af58-18b19f548702/20190702203809_87843/20190702203750_depth_0/Werkzeug-0.15.4-py2.py3-none-any/werkzeug
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
Werkzeug is a comprehensive WSGI web application library. Browsers may allow "nameless" cookies that look like
=value
instead ofkey=value
. A vulnerable browser may allow a compromised application on an adjacent subdomain to exploit this to set a cookie like=__Host-test=bad
for another subdomain. Werkzeug prior to 2.2.3 will parse the cookie=__Host-test=bad
as __Host-test=bad`. If a Werkzeug application is running next to a vulnerable or malicious subdomain which sets such a cookie using a vulnerable browser, the Werkzeug application will see the bad cookie value but the valid cookie key. The issue is fixed in Werkzeug 2.2.3.Publish Date: 2023-02-14
URL: CVE-2023-23934
CVSS 3 Score Details (3.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-23934
Release Date: 2023-02-14
Fix Resolution: 2.2.3
Step up your Open Source Security Game with Mend here
The text was updated successfully, but these errors were encountered: