Home > Vulnerability Database > CVE-2023-46136

Mend.io Vulnerability Database

CVE-2023-46136

Good to know:

Date: October 25, 2023

Werkzeug is a comprehensive WSGI web application library. If an upload of a file that starts with CR or LF and then is followed by megabytes of data without these characters: all of these bytes are appended chunk by chunk into internal bytearray and lookup for boundary is performed on growing buffer. This allows an attacker to cause a denial of service by sending crafted multipart data to an endpoint that will parse it. The amount of CPU time required can block worker processes from handling legitimate requests. This vulnerability has been patched in version 3.0.1.

Language: Python

Severity Score

7.5

Related Resources (5)

Url: https://github.com/pallets/werkzeug/commit/f3c803b3ade485a45f12b6d6617595350c0f03e2

Url: https://nvd.nist.gov/vuln/detail/CVE-2023-46136

Url: https://security-tracker.debian.org/tracker/CVE-2023-46136

Url: https://github.com/pallets/werkzeug/security/advisories/GHSA-hrfv-mqp8-q5rw

Url: https://www.mend.io/vulnerability-database/CVE-2023-46136

Severity Score

7.5

Weakness Type (CWE)

Algorithmic Complexity

CWE-407

Out-of-bounds Write

CWE-787

Uncontrolled Resource Consumption ('Resource Exhaustion')

CWE-400

Top Fix

Upgrade Version

Upgrade to version werkzeug - 2.3.8,3.0.1

Learn More

CVSS v3.1

Base Score:	7.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	NONE
Integrity (I):	NONE
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2023-46136

Good to know:

Date: October 25, 2023

Language: Python

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?