Werkzeug is a comprehensive WSGI web application library. If an upload of a file that starts with CR or LF and then is followed by megabytes of data without these characters: all of these bytes are appended chunk by chunk into internal bytearray and lookup for boundary is performed on growing buffer. This allows an attacker to cause a denial of service by sending crafted multipart data to an endpoint that will parse it. The amount of CPU time required can block worker processes from handling legitimate requests. This vulnerability has been patched in version 3.0.1.
History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2023-10-24T23:48:56.960Z

Updated: 2024-08-02T20:37:39.469Z

Reserved: 2023-10-16T17:51:35.574Z

Link: CVE-2023-46136

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2023-10-25T18:17:36.753

Modified: 2024-11-21T08:27:57.400

Link: CVE-2023-46136

cve-icon Redhat

Severity : Moderate

Publid Date: 2023-10-25T00:00:00Z

Links: CVE-2023-46136 - Bugzilla