Advisories » MGASA-2024-0351

Updated python-werkzeug packages fix security vulnerability

Publication date: 09 Nov 2024
Modification date: 09 Nov 2024
Type: security
Affected Mageia releases : 9
CVE: CVE-2024-49767

Description

Werkzeug is a Web Server Gateway Interface web application library.
Applications using `werkzeug.formparser.MultiPartParser` corresponding
to a version of Werkzeug prior to 3.0.6 to parsing `multipart/form-data`
requests (e.g. all flask applications) are vulnerable to a relatively
simple but effective resource exhaustion (denial of service) attack. A
specifically crafted form submission request can cause the parser to
allocate and block 3 to 8 times the upload size in main memory. There is
no upper limit; a single upload at 1 Gbit/s can exhaust 32 GB of RAM in
less than 60 seconds. Werkzeug version 3.0.6 fixes this issue.
                

References

• https://bugs.mageia.org/show_bug.cgi?id=33732
• https://ubuntu.com/security/notices/USN-7093-1
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-49767

SRPMS

9/core

• python-werkzeug-3.0.6-1.mga9