Количество 9
Количество 9
GHSA-px8h-6qxv-m22q
Incorrect parsing of nameless cookies leads to __Host- cookies bypass
CVE-2023-23934
Werkzeug is a comprehensive WSGI web application library. Browsers may allow "nameless" cookies that look like `=value` instead of `key=value`. A vulnerable browser may allow a compromised application on an adjacent subdomain to exploit this to set a cookie like `=__Host-test=bad` for another subdomain. Werkzeug prior to 2.2.3 will parse the cookie `=__Host-test=bad` as __Host-test=bad`. If a Werkzeug application is running next to a vulnerable or malicious subdomain which sets such a cookie using a vulnerable browser, the Werkzeug application will see the bad cookie value but the valid cookie key. The issue is fixed in Werkzeug 2.2.3.
CVE-2023-23934
Werkzeug is a comprehensive WSGI web application library. Browsers may allow "nameless" cookies that look like `=value` instead of `key=value`. A vulnerable browser may allow a compromised application on an adjacent subdomain to exploit this to set a cookie like `=__Host-test=bad` for another subdomain. Werkzeug prior to 2.2.3 will parse the cookie `=__Host-test=bad` as __Host-test=bad`. If a Werkzeug application is running next to a vulnerable or malicious subdomain which sets such a cookie using a vulnerable browser, the Werkzeug application will see the bad cookie value but the valid cookie key. The issue is fixed in Werkzeug 2.2.3.
CVE-2023-23934
Werkzeug is a comprehensive WSGI web application library. Browsers may allow "nameless" cookies that look like `=value` instead of `key=value`. A vulnerable browser may allow a compromised application on an adjacent subdomain to exploit this to set a cookie like `=__Host-test=bad` for another subdomain. Werkzeug prior to 2.2.3 will parse the cookie `=__Host-test=bad` as __Host-test=bad`. If a Werkzeug application is running next to a vulnerable or malicious subdomain which sets such a cookie using a vulnerable browser, the Werkzeug application will see the bad cookie value but the valid cookie key. The issue is fixed in Werkzeug 2.2.3.
CVE-2023-23934
CVE-2023-23934
Werkzeug is a comprehensive WSGI web application library. Browsers may ...
BDU:2023-02449
Уязвимость библиотеки веб-приложения WSGI Werkzeug, связанная с распределением ресурсов без ограничений или регулирования, позволяющая нарушителю подменить файл cookie
ELSA-2023-12709
ELSA-2023-12709: python-werkzeug security update (LOW)
ROS-20240703-09
Множественные уязвимости python-werkzeug
Уязвимостей на страницу
Уязвимость | CVSS | EPSS | Опубликовано | |
|---|---|---|---|---|
| GHSA-px8h-6qxv-m22q Incorrect parsing of nameless cookies leads to __Host- cookies bypass | CVSS3: 2.6 | 0% Низкий | больше 2 лет назад |
 | CVE-2023-23934 Werkzeug is a comprehensive WSGI web application library. Browsers may allow "nameless" cookies that look like `=value` instead of `key=value`. A vulnerable browser may allow a compromised application on an adjacent subdomain to exploit this to set a cookie like `=__Host-test=bad` for another subdomain. Werkzeug prior to 2.2.3 will parse the cookie `=__Host-test=bad` as __Host-test=bad`. If a Werkzeug application is running next to a vulnerable or malicious subdomain which sets such a cookie using a vulnerable browser, the Werkzeug application will see the bad cookie value but the valid cookie key. The issue is fixed in Werkzeug 2.2.3. | CVSS3: 2.6 | 0% Низкий | больше 2 лет назад |
 | CVE-2023-23934 Werkzeug is a comprehensive WSGI web application library. Browsers may allow "nameless" cookies that look like `=value` instead of `key=value`. A vulnerable browser may allow a compromised application on an adjacent subdomain to exploit this to set a cookie like `=__Host-test=bad` for another subdomain. Werkzeug prior to 2.2.3 will parse the cookie `=__Host-test=bad` as __Host-test=bad`. If a Werkzeug application is running next to a vulnerable or malicious subdomain which sets such a cookie using a vulnerable browser, the Werkzeug application will see the bad cookie value but the valid cookie key. The issue is fixed in Werkzeug 2.2.3. | CVSS3: 2.6 | 0% Низкий | больше 2 лет назад |
 | CVE-2023-23934 Werkzeug is a comprehensive WSGI web application library. Browsers may allow "nameless" cookies that look like `=value` instead of `key=value`. A vulnerable browser may allow a compromised application on an adjacent subdomain to exploit this to set a cookie like `=__Host-test=bad` for another subdomain. Werkzeug prior to 2.2.3 will parse the cookie `=__Host-test=bad` as __Host-test=bad`. If a Werkzeug application is running next to a vulnerable or malicious subdomain which sets such a cookie using a vulnerable browser, the Werkzeug application will see the bad cookie value but the valid cookie key. The issue is fixed in Werkzeug 2.2.3. | CVSS3: 2.6 | 0% Низкий | больше 2 лет назад |
 | CVSS3: 3.5 | 0% Низкий | больше 2 лет назад | |
| CVE-2023-23934 Werkzeug is a comprehensive WSGI web application library. Browsers may ... | CVSS3: 2.6 | 0% Низкий | больше 2 лет назад |
 | BDU:2023-02449 Уязвимость библиотеки веб-приложения WSGI Werkzeug, связанная с распределением ресурсов без ограничений или регулирования, позволяющая нарушителю подменить файл cookie | CVSS3: 3.5 | 0% Низкий | больше 2 лет назад |
| ELSA-2023-12709 ELSA-2023-12709: python-werkzeug security update (LOW) | почти 2 года назад | ||
 | ROS-20240703-09 Множественные уязвимости python-werkzeug | CVSS3: 7.5 | 12 месяцев назад |
Уязвимостей на страницу