Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

oracle-oval логотип

ELSA-2023-12709

Опубликовано: 06 авг. 2023
Источник: oracle-oval
Платформа: Oracle Linux 8

Описание

ELSA-2023-12709: python-werkzeug security update (LOW)

[0.12.2-4.0.1]

  • Fix CVE-2023-23934 [Orabug: 35662419]
  • Fix CVE-2023-25577 [Orabug: 35662419]
  • enable tests [Orabug: 35662419]

Обновленные пакеты

Oracle Linux 8

Oracle Linux aarch64

python3-werkzeug

0.12.2-4.0.1.el8

Oracle Linux x86_64

python3-werkzeug

0.12.2-4.0.1.el8

Связанные CVE

CVE-2023-25577
CVE-2023-23934

Ссылки на источники

Связанные уязвимости

redos логотип

ROS-20240703-09

CVSS3: 7.5
redos
12 месяцев назад

Множественные уязвимости python-werkzeug

ubuntu логотип

CVE-2023-23934

CVSS3: 2.6
ubuntu
больше 2 лет назад

Werkzeug is a comprehensive WSGI web application library. Browsers may allow "nameless" cookies that look like `=value` instead of `key=value`. A vulnerable browser may allow a compromised application on an adjacent subdomain to exploit this to set a cookie like `=__Host-test=bad` for another subdomain. Werkzeug prior to 2.2.3 will parse the cookie `=__Host-test=bad` as __Host-test=bad`. If a Werkzeug application is running next to a vulnerable or malicious subdomain which sets such a cookie using a vulnerable browser, the Werkzeug application will see the bad cookie value but the valid cookie key. The issue is fixed in Werkzeug 2.2.3.

redhat логотип

CVE-2023-23934

CVSS3: 2.6
redhat
больше 2 лет назад

Werkzeug is a comprehensive WSGI web application library. Browsers may allow "nameless" cookies that look like `=value` instead of `key=value`. A vulnerable browser may allow a compromised application on an adjacent subdomain to exploit this to set a cookie like `=__Host-test=bad` for another subdomain. Werkzeug prior to 2.2.3 will parse the cookie `=__Host-test=bad` as __Host-test=bad`. If a Werkzeug application is running next to a vulnerable or malicious subdomain which sets such a cookie using a vulnerable browser, the Werkzeug application will see the bad cookie value but the valid cookie key. The issue is fixed in Werkzeug 2.2.3.

nvd логотип

CVE-2023-23934

CVSS3: 2.6
nvd
больше 2 лет назад

Werkzeug is a comprehensive WSGI web application library. Browsers may allow "nameless" cookies that look like `=value` instead of `key=value`. A vulnerable browser may allow a compromised application on an adjacent subdomain to exploit this to set a cookie like `=__Host-test=bad` for another subdomain. Werkzeug prior to 2.2.3 will parse the cookie `=__Host-test=bad` as __Host-test=bad`. If a Werkzeug application is running next to a vulnerable or malicious subdomain which sets such a cookie using a vulnerable browser, the Werkzeug application will see the bad cookie value but the valid cookie key. The issue is fixed in Werkzeug 2.2.3.

msrc логотип

CVE-2023-23934

CVSS3: 3.5
msrc
больше 2 лет назад

Описание отсутствует