CVE-2023-23934

NameCVE-2023-23934
DescriptionWerkzeug is a comprehensive WSGI web application library. Browsers may allow "nameless" cookies that look like `=value` instead of `key=value`. A vulnerable browser may allow a compromised application on an adjacent subdomain to exploit this to set a cookie like `=__Host-test=bad` for another subdomain. Werkzeug prior to 2.2.3 will parse the cookie `=__Host-test=bad` as __Host-test=bad`. If a Werkzeug application is running next to a vulnerable or malicious subdomain which sets such a cookie using a vulnerable browser, the Werkzeug application will see the bad cookie value but the valid cookie key. The issue is fixed in Werkzeug 2.2.3.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-3346-1, DSA-5470-1
Debian Bugs1031370

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
python-werkzeug (PTS)buster0.14.1+dfsg1-4+deb10u1vulnerable
buster (security)0.14.1+dfsg1-4+deb10u2fixed
bullseye (security), bullseye1.0.1+dfsg1-2+deb11u1fixed
bookworm2.2.2-3fixed
sid, trixie3.0.2-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
python-werkzeugsourcebuster0.14.1+dfsg1-4+deb10u2DLA-3346-1
python-werkzeugsourcebullseye1.0.1+dfsg1-2+deb11u1DSA-5470-1
python-werkzeugsource(unstable)2.2.2-31031370

Notes

https://github.com/pallets/werkzeug/commit/8c2b4b82d0cade0d37e6a88e2cd2413878e8ebd4 (2.2.3)
https://github.com/pallets/werkzeug/security/advisories/GHSA-px8h-6qxv-m22q
Search for package or bug name: Reporting problems