python3-werkzeug: fix for CVE-2023-23934 - linux/meta-openembedded.git - Mirror of git.openembedded.org/meta-openembedded

diff options

author	Narpat Mali <narpat.mali@windriver.com>	2023-05-10 13:48:49 +0000
committer	Armin Kuster <akuster808@gmail.com>	2023-06-11 11:43:33 -0400
commit	bdad2a789e30703a825b876279665720d06d55dc (patch)
tree	62650a9342a8dc72737dfbb060d094d52987d068 /meta-python/recipes-devtools/python/python3-sqlparse
parent	fca236e75a88063489b899e42f7c11b2051a62aa (diff)
download	meta-openembedded-bdad2a789e30703a825b876279665720d06d55dc.tar.gz

python3-werkzeug: fix for CVE-2023-23934

Werkzeug is a comprehensive WSGI web application library. Browsers may allow "nameless" cookies that look like `=value` instead of `key=value`. A vulnerable browser may allow a compromised application on an adjacent subdomain to exploit this to set a cookie like `=__Host-test=bad` for another subdomain. Werkzeug prior to 2.2.3 will parse the cookie `=__Host-test=bad` as __Host-test=bad`. If a Werkzeug application is running next to a vulnerable or malicious subdomain which sets such a cookie using a vulnerable browser, the Werkzeug application will see the bad cookie value but the valid cookie key. The issue is fixed in Werkzeug 2.2.3. Signed-off-by: Narpat Mali <narpat.mali@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>

Diffstat (limited to 'meta-python/recipes-devtools/python/python3-sqlparse')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: