The Pallets Projects Werkzeug 3.0.0

CPE Details

The Pallets Projects Werkzeug 3.0.0
palletsprojects
werkzeug
3.0.0
2023-11-01
13h27 +00:00
2023-11-01
13h27 +00:00
CPE NVD
Alerte pour un CPE
Restez informé de toutes modifications pour un CPE spécifique.
Gestion des notifications

CPE Name: cpe:2.3:a:palletsprojects:werkzeug:3.0.0:*:*:*:*:*:*:*

Informations

Vendor

palletsprojects

Product

werkzeug

Version

3.0.0

Related CVE

Open and find in CVE List

CVE ID Publié Description Score Gravité
CVE-2024-49767 2024-10-25 19h41 +00:00 Werkzeug is a Web Server Gateway Interface web application library. Applications using `werkzeug.formparser.MultiPartParser` corresponding to a version of Werkzeug prior to 3.0.6 to parse `multipart/form-data` requests (e.g. all flask applications) are vulnerable to a relatively simple but effective resource exhaustion (denial of service) attack. A specifically crafted form submission request can cause the parser to allocate and block 3 to 8 times the upload size in main memory. There is no upper limit; a single upload at 1 Gbit/s can exhaust 32 GB of RAM in less than 60 seconds. Werkzeug version 3.0.6 fixes this issue.
6.9
Moyen
CVE-2023-46136 2023-10-24 23h48 +00:00 Werkzeug is a comprehensive WSGI web application library. If an upload of a file that starts with CR or LF and then is followed by megabytes of data without these characters: all of these bytes are appended chunk by chunk into internal bytearray and lookup for boundary is performed on growing buffer. This allows an attacker to cause a denial of service by sending crafted multipart data to an endpoint that will parse it. The amount of CPU time required can block worker processes from handling legitimate requests. This vulnerability has been patched in version 3.0.1.
8
Haute