Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Snyk:Medium] Werkzeug Inefficient Algorithmic Complexity (due on 05/23/2024) #5742

Closed
1 task done
pkfec opened this issue Feb 29, 2024 · 0 comments · Fixed by #5813
Closed
1 task done

[Snyk:Medium] Werkzeug Inefficient Algorithmic Complexity (due on 05/23/2024) #5742

pkfec opened this issue Feb 29, 2024 · 0 comments · Fixed by #5813
Assignees
@tmpayton
Labels
Security: general General security concern or issue Security: moderate Remediate within 60 days
Milestone
24.i

Comments

@pkfec
Copy link
Contributor

pkfec commented Feb 29, 2024
edited by tmpayton
Loading

Overview

Affected versions of this package are vulnerable to Inefficient Algorithmic Complexity in multipart data parsing. An attacker can cause a denial of service and block worker processes from handling legitimate requests by sending crafted multipart data to an endpoint that will parse it, eventually exhausting or killing all available workers.

Exploiting this vulnerability is possible if the uploaded file starts with CR or LF and is followed by megabytes of data without these characters.

https://app.snyk.io/org/fecgov/project/7382e6c8-8f69-4afb-b910-ff61101c54fb#issue-SNYK-PYTHON-WERKZEUG-6035177

Introduced through:

Related:

#5636

Remediation:

Pin werkzeug to version 2.3.8 or 3.0.1

Completion criteria:

  • Pin werkzeug to version 2.3.8 or 3.0.1
@pkfec pkfec added Security: moderate Remediate within 60 days Security: general General security concern or issue labels Feb 29, 2024
@pkfec pkfec added this to the 24.i milestone Feb 29, 2024
@pkfec pkfec mentioned this issue Feb 29, 2024
Closed
2 tasks
@pkfec pkfec changed the title [Snyk:Medium] Werkzeug Inefficient Algorithmic Complexity (due on 05/23/2023) [Snyk:Medium] Werkzeug Inefficient Algorithmic Complexity (due on 05/23/2024) Feb 29, 2024
@pkfec pkfec mentioned this issue Mar 6, 2024
Closed
3 tasks
@cnlucas cnlucas mentioned this issue Mar 13, 2024
Closed
2 tasks
@cnlucas cnlucas mentioned this issue Mar 20, 2024
Closed
3 tasks
This was referenced Mar 27, 2024
Closed
Closed
@cnlucas cnlucas mentioned this issue Apr 10, 2024
Closed
2 tasks
@tmpayton tmpayton mentioned this issue Apr 17, 2024
Closed
3 tasks
@pkfec pkfec mentioned this issue Apr 8, 2024
Closed
3 tasks
@tmpayton tmpayton self-assigned this Apr 23, 2024
@tmpayton tmpayton moved this to 📥 Assigned in Website project Apr 23, 2024
@cnlucas cnlucas mentioned this issue Apr 24, 2024
Closed
2 tasks
@cnlucas cnlucas mentioned this issue May 1, 2024
Closed
2 tasks
@tmpayton tmpayton mentioned this issue May 6, 2024
Merged
@cnlucas cnlucas mentioned this issue May 8, 2024
Closed
3 tasks
@pkfec pkfec moved this from 📥 Assigned to 👀 Ready in Website project May 9, 2024
@github-project-automation github-project-automation bot moved this from 👀 Ready to ✅ Done in Website project May 13, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@tmpayton tmpayton

Labels
Security: general General security concern or issue Security: moderate Remediate within 60 days
Projects
Website project
Status: ✅ Done
Milestone
24.i
Development

Successfully merging a pull request may close this issue.

upgrade werkzeug v3 fecgov/openFEC
2 participants
@pkfec @tmpayton