diff options
| author | Narpat Mali <narpat.mali@windriver.com> | 2023-05-10 13:48:49 +0000 |
|---|---|---|
| committer | Armin Kuster <akuster808@gmail.com> | 2023-06-11 11:43:33 -0400 |
| commit | bdad2a789e30703a825b876279665720d06d55dc (patch) | |
| tree | 62650a9342a8dc72737dfbb060d094d52987d068 /meta-python/recipes-devtools/python/python3-sqlparse/CVE-2023-30608.patch | |
| parent | fca236e75a88063489b899e42f7c11b2051a62aa (diff) | |
| download | meta-openembedded-bdad2a789e30703a825b876279665720d06d55dc.tar.gz | |
python3-werkzeug: fix for CVE-2023-23934
Werkzeug is a comprehensive WSGI web application library. Browsers may allow
"nameless" cookies that look like `=value` instead of `key=value`. A vulnerable
browser may allow a compromised application on an adjacent subdomain to exploit
this to set a cookie like `=__Host-test=bad` for another subdomain. Werkzeug
prior to 2.2.3 will parse the cookie `=__Host-test=bad` as __Host-test=bad`.
If a Werkzeug application is running next to a vulnerable or malicious subdomain
which sets such a cookie using a vulnerable browser, the Werkzeug application
will see the bad cookie value but the valid cookie key. The issue is fixed in
Werkzeug 2.2.3.
Signed-off-by: Narpat Mali <narpat.mali@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Diffstat (limited to 'meta-python/recipes-devtools/python/python3-sqlparse/CVE-2023-30608.patch')
0 files changed, 0 insertions, 0 deletions