Input validation error in Werkzeug

#VU72340 Input validation error in Werkzeug

Cybersecurity Help s.r.o.

Published: 2023-02-16

Vulnerability identifier: #VU72340

Vulnerability risk: Low

CVSSv3.1: 2.7 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-23934

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Werkzeug
Web applications / JS libraries

Vendor: The Pallets Projects

Description

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to insufficient validation of "nameless" cookies. A remote attacker can manipulate cookie values for an arbitrary domain.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Werkzeug: 0.1 - 2.2.2

External links
http://github.com/pallets/werkzeug/security/advisories/GHSA-px8h-6qxv-m22q
http://github.com/pallets/werkzeug/commit/cf275f42acad1b5950c50ffe8ef58fe62cdce028
http://github.com/pallets/werkzeug/releases/tag/2.2.3

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in QRadar Incident Forensics

Multiple vulnerabilities in IBM QRadar SIEM

Amazon Linux AMI update for python-werkzeug

Multiple vulnerabilities in IBM QRadar Assistant

Multiple vulnerabilities in IBM Cloud Pak for Multicloud Management

Multiple vulnerabilities in IBM Cloud Pak for Watson AIOps

Multiple vulnerabilities in IBM SOAR QRadar Plugin App

Fedora EPEL 7 update for python3-werkzeug

openEuler update for python-werkzeug

Fedora 37 update for mingw-python-werkzeug