CVE-2023-23934

NameCVE-2023-23934
DescriptionWerkzeug is a comprehensive WSGI web application library. Browsers may allow "nameless" cookies that look like `=value` instead of `key=value`. A vulnerable browser may allow a compromised application on an adjacent subdomain to exploit this to set a cookie like `=__Host-test=bad` for another subdomain. Werkzeug prior to 2.2.3 will parse the cookie `=__Host-test=bad` as __Host-test=bad`. If a Werkzeug application is running next to a vulnerable or malicious subdomain which sets such a cookie using a vulnerable browser, the Werkzeug application will see the bad cookie value but the valid cookie key. The issue is fixed in Werkzeug 2.2.3.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub advisories/code/issues, web search, more)
ReferencesDLA-3346-1
Debian Bugs1031370

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
python-werkzeug (PTS)buster0.14.1+dfsg1-4+deb10u1vulnerable
buster (security)0.14.1+dfsg1-4+deb10u2fixed
bullseye1.0.1+dfsg1-2vulnerable
sid, bookworm2.2.2-2vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
python-werkzeugsourcebuster0.14.1+dfsg1-4+deb10u2DLA-3346-1
python-werkzeugsource(unstable)(unfixed)1031370

Notes

https://github.com/pallets/werkzeug/commit/cf275f42acad1b5950c50ffe8ef58fe62cdce028 (2.2.3)
https://github.com/pallets/werkzeug/security/advisories/GHSA-px8h-6qxv-m22q

Search for package or bug name: Reporting problems