Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update dependency Werkzeug [SECURITY] #16

Closed
wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Jan 14, 2024

Mend Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
Werkzeug (changelog) ==0.16.1 -> ==3.0.2 age adoption passing confidence
Werkzeug (changelog) ==0.16.1 -> ==2.2.3 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2023-23934

Browsers may allow "nameless" cookies that look like =value instead of key=value. A vulnerable browser may allow a compromised application on an adjacent subdomain to exploit this to set a cookie like =__Host-test=bad for another subdomain.

Werkzeug <= 2.2.2 will parse the cookie =__Host-test=bad as __Host-test=bad. If a Werkzeug application is running next to a vulnerable or malicious subdomain which sets such a cookie using a vulnerable browser, the Werkzeug application will see the bad cookie value but the valid cookie key.

CVE-2023-25577

Werkzeug's multipart form data parser will parse an unlimited number of parts, including file parts. Parts can be a small amount of bytes, but each requires CPU time to parse and may use more memory as Python data. If a request can be made to an endpoint that accesses request.data, request.form, request.files, or request.get_data(parse_form_data=False), it can cause unexpectedly high resource usage.

This allows an attacker to cause a denial of service by sending crafted multipart data to an endpoint that will parse it. The amount of CPU time required can block worker processes from handling legitimate requests. The amount of RAM required can trigger an out of memory kill of the process. Unlimited file parts can use up memory and file handles. If many concurrent requests are sent continuously, this can exhaust or kill all available workers.


Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.


  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

@renovate renovate bot changed the title Update dependency Werkzeug [SECURITY] Update dependency Werkzeug to v2 [SECURITY] Jan 14, 2024
@renovate renovate bot force-pushed the renovate/pypi-Werkzeug-vulnerability branch from 72eadf6 to 8d18c47 Compare January 14, 2024 20:17
@renovate renovate bot changed the title Update dependency Werkzeug to v2 [SECURITY] Update dependency Werkzeug [SECURITY] Jan 14, 2024
@renovate renovate bot force-pushed the renovate/pypi-Werkzeug-vulnerability branch from 8d18c47 to 8dea9cb Compare January 14, 2024 20:19
@renovate renovate bot changed the title Update dependency Werkzeug [SECURITY] Update dependency Werkzeug to v2 [SECURITY] Jan 14, 2024
@renovate renovate bot force-pushed the renovate/pypi-Werkzeug-vulnerability branch from 8dea9cb to 6a18841 Compare January 14, 2024 20:19
@renovate renovate bot changed the title Update dependency Werkzeug to v2 [SECURITY] Update dependency Werkzeug [SECURITY] Jan 14, 2024
@renovate renovate bot force-pushed the renovate/pypi-Werkzeug-vulnerability branch from 6a18841 to 7c1d247 Compare January 14, 2024 20:29
@renovate renovate bot changed the title Update dependency Werkzeug [SECURITY] Update dependency Werkzeug to v2 [SECURITY] Jan 14, 2024
@renovate renovate bot force-pushed the renovate/pypi-Werkzeug-vulnerability branch 2 times, most recently from 99d940e to 23f27c7 Compare January 15, 2024 07:16
@renovate renovate bot changed the title Update dependency Werkzeug to v2 [SECURITY] Update dependency Werkzeug [SECURITY] Jan 15, 2024
@renovate renovate bot changed the title Update dependency Werkzeug [SECURITY] Update dependency Werkzeug to v2 [SECURITY] Jan 15, 2024
@renovate renovate bot force-pushed the renovate/pypi-Werkzeug-vulnerability branch from 23f27c7 to 1b8636f Compare January 15, 2024 07:16
@renovate renovate bot changed the title Update dependency Werkzeug to v2 [SECURITY] Update dependency Werkzeug [SECURITY] Jan 15, 2024
@renovate renovate bot force-pushed the renovate/pypi-Werkzeug-vulnerability branch from 1b8636f to 73a230a Compare January 15, 2024 07:17
@renovate renovate bot changed the title Update dependency Werkzeug [SECURITY] Update dependency Werkzeug to v2 [SECURITY] Jan 15, 2024
@renovate renovate bot force-pushed the renovate/pypi-Werkzeug-vulnerability branch from 73a230a to 4dc793f Compare January 15, 2024 07:18
@renovate renovate bot changed the title Update dependency Werkzeug to v2 [SECURITY] Update dependency Werkzeug [SECURITY] Jan 15, 2024
@renovate renovate bot force-pushed the renovate/pypi-Werkzeug-vulnerability branch from 4dc793f to 26eea77 Compare January 15, 2024 07:20
@renovate renovate bot changed the title Update dependency Werkzeug [SECURITY] Update dependency Werkzeug to v2 [SECURITY] Jan 15, 2024
@renovate renovate bot force-pushed the renovate/pypi-Werkzeug-vulnerability branch from 26eea77 to 52deda2 Compare January 15, 2024 07:20
@renovate renovate bot changed the title Update dependency Werkzeug to v2 [SECURITY] Update dependency Werkzeug [SECURITY] Jan 15, 2024
@renovate renovate bot force-pushed the renovate/pypi-Werkzeug-vulnerability branch from 52deda2 to 2831366 Compare January 15, 2024 08:34
@renovate renovate bot changed the title Update dependency Werkzeug [SECURITY] Update dependency Werkzeug to v2 [SECURITY] Jan 15, 2024
@renovate renovate bot force-pushed the renovate/pypi-Werkzeug-vulnerability branch from 2831366 to 701daea Compare January 15, 2024 08:35
@renovate renovate bot changed the title Update dependency Werkzeug to v2 [SECURITY] Update dependency Werkzeug [SECURITY] Jan 15, 2024
@renovate renovate bot force-pushed the renovate/pypi-Werkzeug-vulnerability branch from 701daea to d1dca38 Compare January 15, 2024 08:36
@renovate renovate bot changed the title Update dependency Werkzeug [SECURITY] Update dependency Werkzeug to v2 [SECURITY] Jan 15, 2024
@renovate renovate bot force-pushed the renovate/pypi-Werkzeug-vulnerability branch from d1dca38 to a1f2050 Compare January 15, 2024 08:36
@renovate renovate bot force-pushed the renovate/pypi-Werkzeug-vulnerability branch from a25f22b to 378bfe4 Compare April 9, 2024 21:48
@renovate renovate bot changed the title Update dependency Werkzeug [SECURITY] Update dependency Werkzeug to v2 [SECURITY] Apr 9, 2024
@renovate renovate bot force-pushed the renovate/pypi-Werkzeug-vulnerability branch from 378bfe4 to e3dc406 Compare April 9, 2024 21:48
@renovate renovate bot changed the title Update dependency Werkzeug to v2 [SECURITY] Update dependency Werkzeug [SECURITY] Apr 9, 2024
@renovate renovate bot force-pushed the renovate/pypi-Werkzeug-vulnerability branch from e3dc406 to c762473 Compare April 9, 2024 21:50
@renovate renovate bot changed the title Update dependency Werkzeug [SECURITY] Update dependency Werkzeug to v2 [SECURITY] Apr 9, 2024
@renovate renovate bot force-pushed the renovate/pypi-Werkzeug-vulnerability branch from c762473 to 8a9326b Compare April 9, 2024 21:50
@renovate renovate bot changed the title Update dependency Werkzeug to v2 [SECURITY] Update dependency Werkzeug [SECURITY] Apr 9, 2024
@renovate renovate bot force-pushed the renovate/pypi-Werkzeug-vulnerability branch from 8a9326b to 92aef15 Compare April 9, 2024 21:52
@renovate renovate bot changed the title Update dependency Werkzeug [SECURITY] Update dependency Werkzeug to v2 [SECURITY] Apr 9, 2024
@renovate renovate bot force-pushed the renovate/pypi-Werkzeug-vulnerability branch from 92aef15 to ed6c3b5 Compare April 9, 2024 21:54
@renovate renovate bot changed the title Update dependency Werkzeug to v2 [SECURITY] Update dependency Werkzeug [SECURITY] Apr 9, 2024
@renovate renovate bot force-pushed the renovate/pypi-Werkzeug-vulnerability branch 2 times, most recently from 3d9839c to 1671ca5 Compare April 9, 2024 21:55
@renovate renovate bot changed the title Update dependency Werkzeug [SECURITY] Update dependency Werkzeug to v2 [SECURITY] Apr 9, 2024
@renovate renovate bot changed the title Update dependency Werkzeug to v2 [SECURITY] Update dependency Werkzeug [SECURITY] Apr 9, 2024
@renovate renovate bot force-pushed the renovate/pypi-Werkzeug-vulnerability branch 2 times, most recently from a558b90 to 75d5f8f Compare April 9, 2024 21:56
@renovate renovate bot changed the title Update dependency Werkzeug [SECURITY] Update dependency Werkzeug to v2 [SECURITY] Apr 9, 2024
@renovate renovate bot changed the title Update dependency Werkzeug to v2 [SECURITY] Update dependency Werkzeug [SECURITY] Apr 9, 2024
@renovate renovate bot force-pushed the renovate/pypi-Werkzeug-vulnerability branch from 75d5f8f to 606af0c Compare April 9, 2024 21:57
@renovate renovate bot changed the title Update dependency Werkzeug [SECURITY] Update dependency Werkzeug to v2 [SECURITY] Apr 9, 2024
@renovate renovate bot force-pushed the renovate/pypi-Werkzeug-vulnerability branch from 606af0c to 8a8fb45 Compare April 9, 2024 21:57
@renovate renovate bot changed the title Update dependency Werkzeug to v2 [SECURITY] Update dependency Werkzeug [SECURITY] Apr 11, 2024
@renovate renovate bot force-pushed the renovate/pypi-Werkzeug-vulnerability branch from 8a8fb45 to 0706233 Compare April 11, 2024 07:10
@renovate renovate bot changed the title Update dependency Werkzeug [SECURITY] Update dependency Werkzeug to v2 [SECURITY] Apr 11, 2024
@renovate renovate bot force-pushed the renovate/pypi-Werkzeug-vulnerability branch from 0706233 to 93df4a8 Compare April 11, 2024 11:06
@shaiu shaiu closed this Apr 13, 2024
@renovate renovate bot changed the title Update dependency Werkzeug to v2 [SECURITY] Update dependency Werkzeug [SECURITY] Apr 13, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant